yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1823258] Re: RFE: Immutable Resources

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1823258@xxxxxxxxxxxxxxxxxx>
Date: Wed, 12 Feb 2020 05:47:10 -0000
Reply-to: Bug 1823258 <1823258@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/705859
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=da28046944aaa5b6068d2cc8f14e72ef1de6c012
Submitter: Zuul
Branch:    master

commit da28046944aaa5b6068d2cc8f14e72ef1de6c012
Author: Colleen Murphy <colleen.murphy@xxxxxxxx>
Date:   Tue Feb 4 14:06:41 2020 -0800

    Default to bootstrapping roles as immutable
    
    In the previous cycle, the ``--immutable-roles`` option was added to the
    bootstrap command as an optional way to opt-in to making the default
    roles immutable. Following step 4 of the spec[1], we now make that
    behavior the default and additionally offer a way to opt out of it.
    
    [1] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/train/immutable-resources.html#proposed-change
    
    Change-Id: I6b680efb2c87c1d7559ddcc989bbce68456b9a5f
    Closes-Bug: #1823258


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1823258

Title:
  RFE: Immutable Resources

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  Keystone is responsible for many resources that are used through out other
  services in an OpenStack deployment. For example, roles essentially map
  permissions to a string that can be associated to a user via a role assignment.
  Many roles are reused across OpenStack and some carry elevated authorization
  needed to manage the deployment. In some cases, the accidental removal of a role
  can be catastrophic to the deployment, since the deletion of a role triggers the
  deletion of all role assignments any user has in any scope for that role. The
  fix in such a case usually requires modifying database entries by hand, which is
  a terrible practice in production environments.

  Keystone should implement a more robust mechanism that allows operators to lock
  specific resources, like important roles. A locked resource shouldn't be
  deletable until it is unlocked, which adds a layer of protection for
  deployment critical API resources, especially from accidental mishaps from the
  command line or rogue/faulty administrator scripts.

  Spec: http://specs.openstack.org/openstack/keystone-
  specs/specs/keystone/train/immutable-resources.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1823258/+subscriptions

References

[Bug 1823258] [NEW] RFE: Immutable Resources
From: Colleen Murphy, 2019-04-04