Prevent deletion of currently scoped tenant
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Opinion
|
Wishlist
|
Unassigned |
Bug Description
While being the admin, you are able to delete the admin project.
[rhallisey@
keystone +------
| id | name | enabled |
+------
| e00677dd11c545c
| 97dc1ee5558642a
| 06a3bb546b5f488
| 2af18f242b3c402
| ff386a5825304cd
| bfa6846390a64f9
+------
[rhallisey@
[rhallisey@
Could not find project: admin (Disable debug mode to suppress these details.) (HTTP 401)
Changed in keystone: | |
milestone: | none → juno-rc1 |
The "admin" tenant (as built in devstack) is an example, not all deployments utilize a tenant called "admin". It is perfectly valid to delete *any* tenant regardless of the name.
Would a sufficient fix be to prevent the deletion of the currently scoped tenant? that is to say, is this a UX issue?
example: If I am using a token for the admin tenant, i cannot delete the admin tenant.
As it stands preventing deletion of a specific tenant based on name is a bad idea, what if a deployment wants to change to a new "admin" tenant called "Cloud Administration"?