RFE: Immutable Resources

Bug #1823258 reported by Colleen Murphy on 2019-04-04
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Colleen Murphy

Bug Description

Keystone is responsible for many resources that are used through out other
services in an OpenStack deployment. For example, roles essentially map
permissions to a string that can be associated to a user via a role assignment.
Many roles are reused across OpenStack and some carry elevated authorization
needed to manage the deployment. In some cases, the accidental removal of a role
can be catastrophic to the deployment, since the deletion of a role triggers the
deletion of all role assignments any user has in any scope for that role. The
fix in such a case usually requires modifying database entries by hand, which is
a terrible practice in production environments.

Keystone should implement a more robust mechanism that allows operators to lock
specific resources, like important roles. A locked resource shouldn't be
deletable until it is unlocked, which adds a layer of protection for
deployment critical API resources, especially from accidental mishaps from the
command line or rogue/faulty administrator scripts.

Spec: http://specs.openstack.org/openstack/keystone-specs/specs/keystone/train/immutable-resources.html

Tags: rfe Edit Tag help

Fix proposed to branch: master
Review: https://review.opendev.org/666739

Changed in keystone:
assignee: nobody → Colleen Murphy (krinkle)
status: New → In Progress
Colleen Murphy (krinkle) on 2019-08-07
description: updated

Fix proposed to branch: master
Review: https://review.opendev.org/675228

Fix proposed to branch: master
Review: https://review.opendev.org/675509

Changed in keystone:
assignee: Colleen Murphy (krinkle) → Morgan Fainberg (mdrnstm)
Changed in keystone:
assignee: Morgan Fainberg (mdrnstm) → Vishakha Agarwal (vishakha.agarwal)
Changed in keystone:
assignee: Vishakha Agarwal (vishakha.agarwal) → Colleen Murphy (krinkle)
Changed in keystone:
assignee: Colleen Murphy (krinkle) → Morgan Fainberg (mdrnstm)
Changed in keystone:
assignee: Morgan Fainberg (mdrnstm) → Colleen Murphy (krinkle)

Reviewed: https://review.opendev.org/666739
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a38d4a650f3573065848a372254c63c3a6598979
Submitter: Zuul
Branch: master

commit a38d4a650f3573065848a372254c63c3a6598979
Author: morgan fainberg <email address hidden>
Date: Sat Aug 24 10:59:59 2019 -0700

    Add immutable option for roles and projects

    Add in support for immutable roles and projects (including domains).
    If the immutable option is set for a role or a project that
    resource may not:

    * Be Deleted

    * Be Updated, except to change the value of "immutable" from
      `True` to `False` or `None` (None explicitly unsets the
      resource option).

    * For projects (and domains), project tags cannot be created,
      updated, or deleted.

    The immutable check is performed at the manager layer allowing
    for exceptional code-cases to work directly with the driver.

    Change-Id: I2027b1235a260b7ae5d66cbd6c369773d9e99876
    Partial-bug: #1823258

Reviewed: https://review.opendev.org/675228
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a80d83e76dfb1114b8cd1b31bd2f175d36ae18ae
Submitter: Zuul
Branch: master

commit a80d83e76dfb1114b8cd1b31bd2f175d36ae18ae
Author: Colleen Murphy <email address hidden>
Date: Wed Aug 7 16:22:05 2019 -0700

    Add --immutable-roles flag to bootstrap command

    This implements Step 2 of the Proposed Change for Immutable

    [1] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/train/immutable-resources.html#proposed-change

    Change-Id: I4d99f630cb16e1d58261012e59d3a92c7035734c
    Partial-bug: #1823258

Reviewed: https://review.opendev.org/675509
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5e06ec8163249a7581b12db321036979b7d0604c
Submitter: Zuul
Branch: master

commit 5e06ec8163249a7581b12db321036979b7d0604c
Author: Colleen Murphy <email address hidden>
Date: Thu Aug 8 20:00:28 2019 -0700

    Add immutable roles status check

    This implements part 3 of the proposed change for immutable roles[1], as
    well as adds a release note.

    Part 4 (changing the default behavior of ``keystone-manage bootstrap``
    will have to come in the next cycle.

    [1] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/train/immutable-resources.html#proposed-change

    Change-Id: Ie9d658deb1fa69e9007f3c50535b5c48a7a292d1
    Partial-bug: #1823258

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers