diff --git a/doc/source/contributor/index.rst b/doc/source/contributor/index.rst index a56266d874..4ef98744f7 100644 --- a/doc/source/contributor/index.rst +++ b/doc/source/contributor/index.rst @@ -37,3 +37,4 @@ Contributor Documentation services.rst developing-drivers.rst service-catalog.rst + vision-reflection.rst diff --git a/doc/source/contributor/vision-reflection.rst b/doc/source/contributor/vision-reflection.rst new file mode 100644 index 0000000000..79797bba73 --- /dev/null +++ b/doc/source/contributor/vision-reflection.rst @@ -0,0 +1,114 @@ +.. + Licensed under the Apache License, Version 2.0 (the "License"); you may + not use this file except in compliance with the License. You may obtain + a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + License for the specific language governing permissions and limitations + under the License. + +============================= +Technical Vision for Keystone +============================= + +This document is a self-evaluation of keystone with regard to the +Technical Committee's `technical vision`_ and serves as a basis for guiding the +mission of the keystone project. The objectives captured here are what the +keystone team strives to build. New features and design changes should be +compared with this document before being embarked upon. When such proposals are +not in alignment, propose a change to this document or to the overall `technical +vision`_ to initiate a discussion on the renewed vision for the project. + +.. _technical vision: https://governance.openstack.org/tc/reference/technical-vision.html + +Mission Statement +================= + +Keystone's mission is to provide secure and user-friendly authentication and +authorization for multi-tenant services. + +Vision for OpenStack +==================== + +Self-service +------------ + +Keystone needs to strive to provide a flexible and simple mechanism to expose +OpenStack functionality safely and securely in a multi-tenant environment, to +enable a true self-service experience for end users in a shared-resource system. + +Application Control +------------------- + +Keystone provides the ability for applications to have their own identity +through `application credentials`_, in service of developers building +applications that need to access cloud APIs and cloud-native applications. + +.. _application credentials: https://docs.openstack.org/keystone/latest/user/application_credentials.html + +Interoperability +---------------- + +Keystone strives for a completely seamless experience for end users and +applications running on multiple clouds. Initiatives in service of providing +such a consistent user experience include providing a discovery mechanism for +available functionality, eliminating optional API extensions, and providing +useful default roles which eliminate the need for inconsistently-named, +operator-defined roles for similar access levels between clouds. Keystone is +also capable of itself acting as a bridge between separate clouds through its +Keystone-to-Keystone federated authentication functionality. + +Partitioning +------------ + +Keystone's service catalog mechanism makes it possible for users to have +authorization for resources in geographically distributed regions, and +keystone's various mechanisms for distributed authentication, such as using a +distributed database or LDAP identity backend, using an external authentication +source, or federating keystone itself to provide distributed identity providers, +support geographically distributed computing. Keystone hopes to create a +consistent user story and reference architecture for large-scale distributed +deployments, including edge-computing use cases. + +Basic Physical Data Center Management +------------------------------------- + +In support of OpenStack being primarily a data center management tool, keystone +should always work out of the box and not rely on the pre-existence of another +identity management system in the data center. In practice this means always +continuing to support a SQL storage backend for user data. + +Plays Well With Others +---------------------- + +Keystone encourages its use outside of an OpenStack environment. In support of +this, keystone supports a standard authentication token format (`JWT`_) that can +be understood by many applications, and seeks to support full Single-Sign-On +functionality that can be used in front of any web application. + +.. _JWT: https://tools.ietf.org/html/rfc7519 + +Customizable Integration +------------------------ + +In service of supporting customizable integration both between OpenStack +services and from client applications, keystone has an ongoing mission to +fulfill the Principle of Least Privilege and permit the cloud consumer to +delegate only the minimum permissions needed to an application. Keystone works +to provide this both through reforming OpenStack policy to make it easier to +manage across services, and by providing new mechanisms such as application +credential access rules to allow users to restrict capabilities of applications +to a subset of service APIs. + +Graphical User Interface +------------------------ + +Keystone does not provide a graphical user interface, but must always be mindful +of how its APIs will be presented in dashboards. For some features, such as +Single-Sign-On authentication, keystone may provide its own graphical user +interface in order to provide a smooth web-login experience without requiring a +dependency on another dashboard.