Keystone is responsible for many resources that are used through out other
services in an OpenStack deployment. For example, roles essentially map
permissions to a string that can be associated to a user via a role assignment.
Many roles are reused across OpenStack and some carry elevated authorization
needed to manage the deployment. In some cases, the accidental removal of a role
can be catastrophic to the deployment, since the deletion of a role triggers the
deletion of all role assignments any user has in any scope for that role. The
fix in such a case usually requires modifying database entries by hand, which is
a terrible practice in production environments.
Keystone should implement a more robust mechanism that allows operators to lock
specific resources, like important roles. A locked resource shouldn't be
deletable until it is unlocked, which adds a layer of protection for
deployment critical API resources, especially from accidental mishaps from the
command line or rogue/faulty administrator scripts.
Spec: http://specs.openstack.org/openstack/keystone-specs/specs/keystone/train/immutable-resources.html
Fix proposed to branch: master /review. opendev. org/666739
Review: https:/