Reviewed: https://review.opendev.org/705859 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=da28046944aaa5b6068d2cc8f14e72ef1de6c012 Submitter: Zuul Branch: master
commit da28046944aaa5b6068d2cc8f14e72ef1de6c012 Author: Colleen Murphy <[email protected]> Date: Tue Feb 4 14:06:41 2020 -0800 Default to bootstrapping roles as immutable In the previous cycle, the ``--immutable-roles`` option was added to the bootstrap command as an optional way to opt-in to making the default roles immutable. Following step 4 of the spec[1], we now make that behavior the default and additionally offer a way to opt out of it. [1] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/train/immutable-resources.html#proposed-change Change-Id: I6b680efb2c87c1d7559ddcc989bbce68456b9a5f Closes-Bug: #1823258 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1823258 Title: RFE: Immutable Resources Status in OpenStack Identity (keystone): Fix Released Bug description: Keystone is responsible for many resources that are used through out other services in an OpenStack deployment. For example, roles essentially map permissions to a string that can be associated to a user via a role assignment. Many roles are reused across OpenStack and some carry elevated authorization needed to manage the deployment. In some cases, the accidental removal of a role can be catastrophic to the deployment, since the deletion of a role triggers the deletion of all role assignments any user has in any scope for that role. The fix in such a case usually requires modifying database entries by hand, which is a terrible practice in production environments. Keystone should implement a more robust mechanism that allows operators to lock specific resources, like important roles. A locked resource shouldn't be deletable until it is unlocked, which adds a layer of protection for deployment critical API resources, especially from accidental mishaps from the command line or rogue/faulty administrator scripts. Spec: http://specs.openstack.org/openstack/keystone- specs/specs/keystone/train/immutable-resources.html To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1823258/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
