Add a feature support matrix for identity sources

This introduces the various ways you can configure keystone to
authenticate users, and provides a little compare/contrast to help
people understand how each solution behaves at a high level before
diving deeper.

This patch covers:

- SQL
- LDAP (considering that all write operations are deprecated)
- External authentication (REMOTE_USER)
- OAuth 1.0a
- OpenID Connect
- SAMLv2

Change-Id: I86dfbd2c1f7fed199c612dd1456358e559da3fad

doc/source/configuration.rst

@@ -107,6 +107,23 @@ is not an absolute path, then Keystone looks for it in the same directories as
 above. If not specified, WSGI pipeline definitions are loaded from the primary
 configuration file.
 
+Identity sources
+----------------
+
+One of the most impactful decisions you'll have to make when configuring
+keystone is deciding how you want keystone to source your identity data.
+Keystone supports several different choices that will substantially impact how
+you'll configure, deploy, and interact with keystone.
+
+You can also mix-and-match various sources of identity (see `Domain-specific
+Drivers`_ below for an example). For example, you can store OpenStack service
+users and their passwords in SQL, manage customers in LDAP, and authenticate
+employees via SAML federation.
+
+.. support_matrix:: identity-support-matrix.ini
+
+.. Domain-specific Drivers:
+
 Domain-specific Drivers
 -----------------------
 

doc/source/identity-support-matrix.ini

@@ -0,0 +1,120 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# This file contains a specification of what feature capabilities each driver
+# is able to support. Feature capabilities include what API operations are
+# supported, what backend behaviors features can be used and what aspects of
+# the driver implementation can be configured. The capabilities can be
+# considered to be structured into nested groups, but in this file they have
+# been flattened for ease of representation. The section names represent the
+# group structure. At the top level there are the following groups defined:
+#
+# - operation: Public API operations.
+# - feature: Features of the driver.
+#
+# When considering which capabilities should be marked as mandatory, consider
+# the following guiding principles.
+#
+# The 'status' field takes possible values:
+#
+# - mandatory: Unconditionally required to be implemented.
+# - optional: Optional to support, but nice to have.
+# - choice(group): At least one of the options within the named group
+#                  must be implemented.
+# - conditional(cond): Required, if the referenced condition is met.
+#
+# The value against each 'impl-XXXX' entry refers to the level of the
+# implementation of the feature in that driver:
+#
+# - complete: Fully implemented, expected to work at all times.
+# - partial: Implemented, but with caveats about when it will work.
+#            For example, some configurations or hardware or guest OS may not
+#            support it.
+# - missing: Not implemented at all.
+#
+# In the case of the driver being marked as 'partial', then
+# 'notes-XXX' entry should be used to explain the caveats around the
+# implementation.
+#
+# The 'cli' field takes a list of client commands, separated by semicolon.
+# These CLi commands are related to that feature.
+# Example:
+# cli=openstack domain list;openstack domain show <domain>
+#
+[targets]
+# List of driver implementations for which we are going to track the status of
+# features. This list only covers drivers that are in tree. Out of tree
+# drivers should maintain their own equivalent document, and merge it with this
+# when their code merges into core.
+
+driver-impl-sql=SQL
+driver-impl-ldap=LDAP
+driver-impl-oauth1=OAuth v1.0a
+driver-impl-external=REMOTE_USER
+driver-impl-oidc=OpenID Connect
+driver-impl-samlv2=SAML v2
+
+[feature.local_authentication]
+title=Local authentication
+status=optional
+notes=Authenticate with keystone by providing credentials directly to keystone.
+driver-impl-sql=complete
+driver-impl-ldap=complete
+driver-impl-oauth1=complete
+driver-impl-external=missing
+driver-impl-oidc=missing
+driver-impl-samlv2=missing
+
+[feature.external_authentication]
+title=External authentication
+status=optional
+notes=Authenticate with keystone by providing credentials to an external system
+  that keystone trusts (as with federation).
+driver-impl-sql=missing
+driver-impl-ldap=missing
+driver-impl-oauth1=missing
+driver-impl-external=complete
+driver-impl-oidc=complete
+driver-impl-samlv2=complete
+
+[feature.identity_crud]
+title=Identity management
+status=optional
+notes=Create, update, enable/disable, and delete users via Keystone's HTTP API.
+driver-impl-sql=complete
+driver-impl-ldap=partial
+driver-impl-oauth1=complete
+driver-impl-external=missing
+driver-impl-oidc=missing
+driver-impl-samlv2=missing
+
+[feature.pci_controls]
+title=PCI-DSS controls
+status=optional
+notes=Configure keystone to enforce PCI-DSS compliant security controls.
+driver-impl-sql=complete
+driver-impl-ldap=partial
+driver-impl-oauth1=missing
+driver-impl-external=partial
+driver-impl-oidc=missing
+driver-impl-samlv2=missing
+
+[feature.auditing]
+title=Auditing
+status=optional
+notes=Audit authentication flows using PyCADF.
+driver-impl-sql=complete
+driver-impl-ldap=complete
+driver-impl-oauth1=missing
+driver-impl-external=missing
+driver-impl-oidc=complete
+driver-impl-samlv2=complete