keystone/doc/source/identity-support-matrix.ini
Dolph Mathews 428a6e0faa Add a feature support matrix for identity sources
This introduces the various ways you can configure keystone to
authenticate users, and provides a little compare/contrast to help
people understand how each solution behaves at a high level before
diving deeper.

This patch covers:

- SQL
- LDAP (considering that all write operations are deprecated)
- External authentication (REMOTE_USER)
- OAuth 1.0a
- OpenID Connect
- SAMLv2

Change-Id: I86dfbd2c1f7fed199c612dd1456358e559da3fad
2016-08-29 13:56:47 -05:00

121 lines
4.2 KiB
INI

# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# This file contains a specification of what feature capabilities each driver
# is able to support. Feature capabilities include what API operations are
# supported, what backend behaviors features can be used and what aspects of
# the driver implementation can be configured. The capabilities can be
# considered to be structured into nested groups, but in this file they have
# been flattened for ease of representation. The section names represent the
# group structure. At the top level there are the following groups defined:
#
# - operation: Public API operations.
# - feature: Features of the driver.
#
# When considering which capabilities should be marked as mandatory, consider
# the following guiding principles.
#
# The 'status' field takes possible values:
#
# - mandatory: Unconditionally required to be implemented.
# - optional: Optional to support, but nice to have.
# - choice(group): At least one of the options within the named group
# must be implemented.
# - conditional(cond): Required, if the referenced condition is met.
#
# The value against each 'impl-XXXX' entry refers to the level of the
# implementation of the feature in that driver:
#
# - complete: Fully implemented, expected to work at all times.
# - partial: Implemented, but with caveats about when it will work.
# For example, some configurations or hardware or guest OS may not
# support it.
# - missing: Not implemented at all.
#
# In the case of the driver being marked as 'partial', then
# 'notes-XXX' entry should be used to explain the caveats around the
# implementation.
#
# The 'cli' field takes a list of client commands, separated by semicolon.
# These CLi commands are related to that feature.
# Example:
# cli=openstack domain list;openstack domain show <domain>
#
[targets]
# List of driver implementations for which we are going to track the status of
# features. This list only covers drivers that are in tree. Out of tree
# drivers should maintain their own equivalent document, and merge it with this
# when their code merges into core.
driver-impl-sql=SQL
driver-impl-ldap=LDAP
driver-impl-oauth1=OAuth v1.0a
driver-impl-external=REMOTE_USER
driver-impl-oidc=OpenID Connect
driver-impl-samlv2=SAML v2
[feature.local_authentication]
title=Local authentication
status=optional
notes=Authenticate with keystone by providing credentials directly to keystone.
driver-impl-sql=complete
driver-impl-ldap=complete
driver-impl-oauth1=complete
driver-impl-external=missing
driver-impl-oidc=missing
driver-impl-samlv2=missing
[feature.external_authentication]
title=External authentication
status=optional
notes=Authenticate with keystone by providing credentials to an external system
that keystone trusts (as with federation).
driver-impl-sql=missing
driver-impl-ldap=missing
driver-impl-oauth1=missing
driver-impl-external=complete
driver-impl-oidc=complete
driver-impl-samlv2=complete
[feature.identity_crud]
title=Identity management
status=optional
notes=Create, update, enable/disable, and delete users via Keystone's HTTP API.
driver-impl-sql=complete
driver-impl-ldap=partial
driver-impl-oauth1=complete
driver-impl-external=missing
driver-impl-oidc=missing
driver-impl-samlv2=missing
[feature.pci_controls]
title=PCI-DSS controls
status=optional
notes=Configure keystone to enforce PCI-DSS compliant security controls.
driver-impl-sql=complete
driver-impl-ldap=partial
driver-impl-oauth1=missing
driver-impl-external=partial
driver-impl-oidc=missing
driver-impl-samlv2=missing
[feature.auditing]
title=Auditing
status=optional
notes=Audit authentication flows using PyCADF.
driver-impl-sql=complete
driver-impl-ldap=complete
driver-impl-oauth1=missing
driver-impl-external=missing
driver-impl-oidc=complete
driver-impl-samlv2=complete