Public bug reported: Keystone is responsible for many resources that are used through out other services in an OpenStack deployment. For example, roles essentially map permissions to a string that can be associated to a user via a role assignment. Many roles are reused across OpenStack and some carry elevated authorization needed to manage the deployment. In some cases, the accidental removal of a role can be catastrophic to the deployment, since the deletion of a role triggers the deletion of all role assignments any user has in any scope for that role. The fix in such a case usually requires modifying database entries by hand, which is a terrible practice in production environments.
Keystone should implement a more robust mechanism that allows operators to lock specific resources, like important roles. A locked resource shouldn't be deletable until it is unlocked, which adds a layer of protection for deployment critical API resources, especially from accidental mishaps from the command line or rogue/faulty administrator scripts. Spec proposal: https://review.openstack.org/624692 ** Affects: keystone Importance: Undecided Status: New ** Tags: rfe -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1823258 Title: RFE: Immutable Resources Status in OpenStack Identity (keystone): New Bug description: Keystone is responsible for many resources that are used through out other services in an OpenStack deployment. For example, roles essentially map permissions to a string that can be associated to a user via a role assignment. Many roles are reused across OpenStack and some carry elevated authorization needed to manage the deployment. In some cases, the accidental removal of a role can be catastrophic to the deployment, since the deletion of a role triggers the deletion of all role assignments any user has in any scope for that role. The fix in such a case usually requires modifying database entries by hand, which is a terrible practice in production environments. Keystone should implement a more robust mechanism that allows operators to lock specific resources, like important roles. A locked resource shouldn't be deletable until it is unlocked, which adds a layer of protection for deployment critical API resources, especially from accidental mishaps from the command line or rogue/faulty administrator scripts. Spec proposal: https://review.openstack.org/624692 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1823258/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
