Add resource-options-for-all specification

Specification defining the addition of resource options for all
resources within Keystone isntead of just users.

Change-Id: I6228e503f908b4bc82aa55b908995314e3e6adf7
partial-bug: 1807751

specs/keystone/train/resource-options-for-all.rst

@@ -0,0 +1,133 @@
+..
+ This work is licensed under a Creative Commons Attribution 3.0 Unported
+ License.
+
+ http://creativecommons.org/licenses/by/3.0/legalcode
+
+=======================================
+Resource options for all resource types
+=======================================
+
+`bug #1807751 <https://bugs.launchpad.net/keystone/+bug/1807751>`_
+
+
+Resource Options have been implemented for the User resource type. These are
+used for PCI-DSS controls (e.g. exempting a user from password change
+requirements) and Multi-Factor Auth login rules. The other resource types
+within keystone will benefit from a similar set of technologies. Examples
+of use cases are:
+
+* Limit login to specific origins (IP Addrs) for tokens scoped to a given
+  project or domain
+
+* Apply default PCI-DSS options to all users contained within a Domain, e.g.
+  exempt all service users in a ``service`` domain from password change
+  requirements.
+
+* Apply default Multi-Factor-Auth rules to all logins scoping to a given
+  domain or project.
+
+
+Problem Description
+===================
+
+Each resource type may have explicit controls or options that are unique to
+that resource class (e.g. exempting a user from PCI-DSS password change
+requirements). This specification proposes expanding the resource option
+functionality from users to encompass all resource types. This is implementing
+the scaffolding for future options to be built upon. No options will be
+added in the scope of this specification.
+
+Proposed Change
+===============
+
+Add the same controls, db tables, and responses for all resource types that
+currently do not have resource options implemented. This will be implemented
+as part of the base SQL Model class defined within keystone, all future
+resource types will be expected to implement the resource option functionality.
+
+Alternatives
+------------
+
+* Option #1: implement resource options explicitly when needed for a
+  given resource class.
+
+* Option #2: do not implement resource options and tool the functionality
+  separately for the same behaviors.
+
+
+Security Impact
+---------------
+
+This is structure and code capability implementation and should have no
+security impact.
+
+Notifications Impact
+--------------------
+
+None
+
+Other End User Impact
+---------------------
+
+Users will see an added ``resource_options`` response for resources.
+
+Performance Impact
+------------------
+
+The additional DB lookups for extracting the resource options will add
+additional load to keystone. Most resources will have no resource options
+and those that do have resource options will be (by default) leaning on
+SQL indexes to mitigate the potential additional load.
+
+Other Deployer Impact
+---------------------
+
+No deployer impact until future options are implemented.
+
+Developer Impact
+----------------
+
+Developers will need to implement resource option functionality for all new
+resource types after this spec is implemented.
+
+
+Implementation
+==============
+
+Assignee(s)
+-----------
+
+Primary assignee:
+  morgan fainberg <morgan.fainberg@gmail.com>
+
+
+Work Items
+----------
+
+* Implement DB Migrations to add the resource option tables for each resource
+  type/class.
+
+* Implement the API handlers to process and validate resource options for each
+  resource type.
+
+* Implement resource option base code into the SQL Model base defined within
+  keystone.
+
+
+Dependencies
+============
+
+None
+
+
+Documentation Impact
+====================
+
+Documentation on adding new resource options will be needed.
+
+
+References
+==========
+
+N/A