Activity log for bug #1823258

Date Who What changed Old value New value Message
2019-04-04 20:24:14 Colleen Murphy bug added bug
2019-06-20 23:20:12 OpenStack Infra keystone: status New In Progress
2019-06-20 23:20:12 OpenStack Infra keystone: assignee Colleen Murphy (krinkle)
2019-08-07 22:15:41 Colleen Murphy description Keystone is responsible for many resources that are used through out other services in an OpenStack deployment. For example, roles essentially map permissions to a string that can be associated to a user via a role assignment. Many roles are reused across OpenStack and some carry elevated authorization needed to manage the deployment. In some cases, the accidental removal of a role can be catastrophic to the deployment, since the deletion of a role triggers the deletion of all role assignments any user has in any scope for that role. The fix in such a case usually requires modifying database entries by hand, which is a terrible practice in production environments. Keystone should implement a more robust mechanism that allows operators to lock specific resources, like important roles. A locked resource shouldn't be deletable until it is unlocked, which adds a layer of protection for deployment critical API resources, especially from accidental mishaps from the command line or rogue/faulty administrator scripts. Spec proposal: https://review.openstack.org/624692 Keystone is responsible for many resources that are used through out other services in an OpenStack deployment. For example, roles essentially map permissions to a string that can be associated to a user via a role assignment. Many roles are reused across OpenStack and some carry elevated authorization needed to manage the deployment. In some cases, the accidental removal of a role can be catastrophic to the deployment, since the deletion of a role triggers the deletion of all role assignments any user has in any scope for that role. The fix in such a case usually requires modifying database entries by hand, which is a terrible practice in production environments. Keystone should implement a more robust mechanism that allows operators to lock specific resources, like important roles. A locked resource shouldn't be deletable until it is unlocked, which adds a layer of protection for deployment critical API resources, especially from accidental mishaps from the command line or rogue/faulty administrator scripts. Spec: http://specs.openstack.org/openstack/keystone-specs/specs/keystone/train/immutable-resources.html
2019-08-24 18:03:20 OpenStack Infra keystone: assignee Colleen Murphy (krinkle) Morgan Fainberg (mdrnstm)
2019-08-29 17:43:05 OpenStack Infra keystone: assignee Morgan Fainberg (mdrnstm) Vishakha Agarwal (vishakha.agarwal)
2019-09-06 23:10:47 OpenStack Infra keystone: assignee Vishakha Agarwal (vishakha.agarwal) Colleen Murphy (krinkle)
2019-09-09 23:04:28 OpenStack Infra keystone: assignee Colleen Murphy (krinkle) Morgan Fainberg (mdrnstm)
2019-09-09 23:25:47 OpenStack Infra keystone: assignee Morgan Fainberg (mdrnstm) Colleen Murphy (krinkle)
2020-02-12 05:47:06 OpenStack Infra keystone: status In Progress Fix Released
2022-07-22 09:12:53 Christian Rohmann bug added subscriber Christian Rohmann