Document user options

User options have been available in keystone for a few releases but
there isn't any official documentation for them.

This commit add a general section to the administrator guide that
attempts to describe each options and its type.

Change-Id: Ib0cc07236ba9083c2a35bf8ac6444ccfd19b7219
Related-Bug: 1792026

doc/source/admin/identity-resource-options.rst

@@ -0,0 +1,89 @@
+================
+Resource Options
+================
+
+A resource option is an attribute that can be optionally set on an entity in
+keystone. These options are used to control specific features or behaviors
+within keystone. This allows flexibility on a per-resource basis as opposed to
+settings a configuration file value that controls a behavior for all resources
+in a deployment.
+
+This flexibility can be useful for deployments is setting different
+authentication requirements for users. For example, operators can use resource
+options to set the number of failed authentication attempts on a per-user basis
+as opposed to setting a global value that is applied to all users.
+
+The purpose of this document is to formally document the supported resource
+options used in keystone, their intended behavior, and how to use them.
+
+User Options
+============
+
+The following options are available on user resources. If left undefined, they
+are assumed to be false or disabled.
+
+ignore_change_password_upon_first_use
+-------------------------------------
+
+Type: ``Boolean``
+
+Control if a user should be forced to change their password immediately after
+they log into keystone for the first time. This can be useful for deployments
+that auto-generate passwords but want to ensure a user picks a new password
+when they start using the deployment.
+
+See the `security compliance documentation
+<identity-security-compliance.html>`_ for more details.
+
+ignore_password_expiry
+----------------------
+
+Type: ``Boolean``
+
+Opt into ignoring global password expiration settings defined in
+``keystone.conf [security_compliance]`` on a per-user basis. Setting this
+option to ``True`` will allow users to continue using passwords that may be
+expired according to global configuration values.
+
+See the `security compliance documentation
+<identity-security-compliance.html>`_ for more details.
+
+ignore_lockout_failure_attempts
+-------------------------------
+
+Type: ``Boolean``
+
+If ``True``, opt into ignoring the number of times a user has authenticated and
+locking out the user as a result.
+
+See the `security compliance documentation
+<identity-security-compliance.html>`_ for more details.
+
+lock_password
+-------------
+
+Type: ``Boolean``
+
+If set to ``True``, this option disables the ability for users to change their
+password through self-service APIs.
+
+See the `security compliance documentation
+<identity-security-compliance.html>`_ for more details.
+
+multi_factor_auth_enabled
+-------------------------
+
+Type: ``Boolean``
+
+Specify if a user has multi-factor authentication enabled on their account.
+This will result in different behavior at authentication time and the user may
+be presented with different authentication requirements based on multi-factor
+configuration.
+
+multi_factor_auth_rules
+-----------------------
+
+Type: ``List of Lists of Strings``
+
+Define a list of strings that represent the methods required for a user to
+authenticate.

doc/source/admin/index.rst

@@ -29,6 +29,7 @@ command-line client.
    identity-use-trusts.rst
    identity-caching-layer.rst
    identity-security-compliance.rst
+   identity-resource-options.rst
    identity-performance.rst
    identity-keystone-usage-and-features.rst
    identity-auth-token-middleware.rst