toc icon indicating copy to clipboard operation
toc copied to clipboard
verified publisher icon cncf

[Initiative]: Identity and Access Management

Open y-tabata opened this issue 8 months ago • 18 comments

Name

Identity and Access Management

Short description

Writing Identity and Access Management Whitepaper.

Responsible group

TAG Security and Compliance

Does the initiative belong to a subproject?

No

Subproject name

Identity and Access Management

Primary contact

@y-tabata

Additional contacts

@eddie-knight

Initiative description

This is an initiative to write the Identity and Access Management Whitepaper, which we have been carrying out at TAG Security since last year. https://github.com/cncf/tag-security/issues/1332

Description: Authentication and authorization are the most important security considerations in the cloud-native ecosystem, as evidenced by their high ranking in the OWASP Top 10 and OWASP Top 10 API Security Risks. On the other hand, authentication and authorization frameworks have a wide range of related specifications, including OAuth and OpenID Connect, and it can be difficult for implementers to implement the frameworks, so it would be beneficial to publish best practices for identity and access management.

Deliverable(s) or exit criteria

The deliverable is the Identity and Access Management whitepaper.

y-tabata avatar Apr 18 '25 00:04 y-tabata

thanks @y-tabata ! Is it possible to breakdown this white paper into shorter deliverables that take 1 to 3 months to complete?

Please add a timeline to measure progress against.

angellk avatar May 02 '25 01:05 angellk

@angellk This white paper is being divided into Part 1, the design section, and Part 2, the implementation section. Our team is currently working towards completing the draft of Part 1 between the middle and end of May, with the goal of publishing it around the end of June.

y-tabata avatar May 02 '25 12:05 y-tabata

This effort is currently undergoing extended review and polish while awaiting further guidance from the TOC regarding next steps.

eddie-knight avatar May 31 '25 20:05 eddie-knight

hi @y-tabata -- please open one initiative per white paper section. Vote is opening soon.

angellk avatar Jun 23 '25 19:06 angellk

@riaankleinhans ready to open vote once @y-tabata splits the work into multiple initiatives.

angellk avatar Jun 23 '25 19:06 angellk

@y-tabata reach out to me when you are done. Thank you.

riaankleinhans avatar Jun 23 '25 20:06 riaankleinhans

@angellk The current issue is for the "part 1" that Yoshiyuki mentioned above. We have not done any detailed planning around the second part yet.

eddie-knight avatar Jun 23 '25 23:06 eddie-knight

Thanks for clarifying @eddie-knight

Gtg @riaankleinhans

angellk avatar Jun 24 '25 00:06 angellk

Thanks, Eddie. As Eddie wrote, part 2 will be tackled after part 1 is finished.

y-tabata avatar Jun 24 '25 12:06 y-tabata

This initiative has been approved by the TOC and is ready to be worked on with the appropriate TAG and TOC liaison.

riaankleinhans avatar Jul 07 '25 15:07 riaankleinhans

We have passed the community and TL review.

y-tabata avatar Aug 01 '25 00:08 y-tabata

This should now be ready for TOC review 👍

mrbobbytables avatar Aug 01 '25 01:08 mrbobbytables

As the paper stands, it is NOT ready for TOC review: https://github.com/cncf/tag-security/issues/1332#issuecomment-3145162219

TheFoxAtWork avatar Aug 01 '25 16:08 TheFoxAtWork

@mrbobbytables @TheFoxAtWork The public review has closed. Could you please reopen the TOC review? https://github.com/cncf/tag-security/issues/1332#issuecomment-3223149259

y-tabata avatar Sep 11 '25 04:09 y-tabata

@y-tabata Our apologies for the delay, the TOC has been managing a few different priorities at the time and this was placed in our backlog to come back to while we resolve the current priorities in flight. @kfaseela has time allocated in the next few weeks to review the document. We appreciate your patience and understanding.

TheFoxAtWork avatar Oct 08 '25 19:10 TheFoxAtWork

@TheFoxAtWork Thanks for sharing the situation. We look forward to the review results.

y-tabata avatar Oct 08 '25 20:10 y-tabata

hi @y-tabata -- it does not look like the initiative was broken down as requested and as a result it is not ready to be reviewed. https://github.com/cncf/tag-security/issues/1332#issuecomment-3398908843

In order to provide technical deliverables that are manageable to review, the TOC is asking for 1-5 pages maximum at this time. Please think about concrete, concise information that is valuable to project maintainers.

Several TOC members will be at Maintainer Summit in Atlanta -- that's a good time to discuss as well.

cc: @kfaseela

angellk avatar Oct 13 '25 20:10 angellk

Moving this discussion here: https://github.com/cncf/tag-security/issues/1332#issuecomment-3399000540

38 pages as a "Part 1" is not in line with the expectations of the TOC. Understand that some community members require more explicit guidance and for what is expected when an initiative is approved:

Primary goals of the TAG Restructure are to ensure:

  • community members have a means of collaborating on initiatives that are tightly scoped and time bound
  • deliverables that allow for faster review from community members, TAG leads and TOC members
  • guidance that is timely, accurate and provides technical guidance to project maintainers as they are making architectural decisions

I've reached out to the TAG chairs to discuss more on how they can help guide the community with these initiatives.

angellk avatar Oct 13 '25 21:10 angellk