yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1823258] [NEW] RFE: Immutable Resources

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Colleen Murphy <colleen@xxxxxxxxxxx>
Date: Thu, 04 Apr 2019 20:24:14 -0000
Reply-to: Bug 1823258 <1823258@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Keystone is responsible for many resources that are used through out other
services in an OpenStack deployment. For example, roles essentially map 
permissions to a string that can be associated to a user via a role assignment.
Many roles are reused across OpenStack and some carry elevated authorization
needed to manage the deployment. In some cases, the accidental removal of a role
can be catastrophic to the deployment, since the deletion of a role triggers the 
deletion of all role assignments any user has in any scope for that role. The 
fix in such a case usually requires modifying database entries by hand, which is
a terrible practice in production environments.

Keystone should implement a more robust mechanism that allows operators to lock
specific resources, like important roles. A locked resource shouldn't be
deletable until it is unlocked, which adds a layer of protection for 
deployment critical API resources, especially from accidental mishaps from the 
command line or rogue/faulty administrator scripts.

Spec proposal: https://review.openstack.org/624692

** Affects: keystone
     Importance: Undecided
         Status: New


** Tags: rfe

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1823258

Title:
  RFE: Immutable Resources

Status in OpenStack Identity (keystone):
  New

Bug description:
  Keystone is responsible for many resources that are used through out other
  services in an OpenStack deployment. For example, roles essentially map 
  permissions to a string that can be associated to a user via a role assignment.
  Many roles are reused across OpenStack and some carry elevated authorization
  needed to manage the deployment. In some cases, the accidental removal of a role
  can be catastrophic to the deployment, since the deletion of a role triggers the 
  deletion of all role assignments any user has in any scope for that role. The 
  fix in such a case usually requires modifying database entries by hand, which is
  a terrible practice in production environments.

  Keystone should implement a more robust mechanism that allows operators to lock
  specific resources, like important roles. A locked resource shouldn't be
  deletable until it is unlocked, which adds a layer of protection for 
  deployment critical API resources, especially from accidental mishaps from the 
  command line or rogue/faulty administrator scripts.

  Spec proposal: https://review.openstack.org/624692

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1823258/+subscriptions

Follow ups

[Bug 1823258] Re: RFE: Immutable Resources
From: OpenStack Infra, 2020-02-12