OpenStack Identity (keystone)

RFE: Immutable Resources

Bug #1823258 reported by Colleen Murphy
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Undecided
Colleen Murphy

Bug Description

Keystone is responsible for many resources that are used through out other
services in an OpenStack deployment. For example, roles essentially map
permissions to a string that can be associated to a user via a role assignment.
Many roles are reused across OpenStack and some carry elevated authorization
needed to manage the deployment. In some cases, the accidental removal of a role
can be catastrophic to the deployment, since the deletion of a role triggers the
deletion of all role assignments any user has in any scope for that role. The
fix in such a case usually requires modifying database entries by hand, which is
a terrible practice in production environments.

Keystone should implement a more robust mechanism that allows operators to lock
specific resources, like important roles. A locked resource shouldn't be
deletable until it is unlocked, which adds a layer of protection for
deployment critical API resources, especially from accidental mishaps from the
command line or rogue/faulty administrator scripts.

Spec: http://specs.openstack.org/openstack/keystone-specs/specs/keystone/train/immutable-resources.html

See original description
Tags: rfe
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/666739

Changed in keystone:
assignee: nobody → Colleen Murphy (krinkle)
status: New → In Progress
Colleen Murphy (krinkle)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.opendev.org/675228

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.opendev.org/675509

OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Colleen Murphy (krinkle) → Morgan Fainberg (mdrnstm)
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Morgan Fainberg (mdrnstm) → Vishakha Agarwal (vishakha.agarwal)
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Vishakha Agarwal (vishakha.agarwal) → Colleen Murphy (krinkle)
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Colleen Murphy (krinkle) → Morgan Fainberg (mdrnstm)
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Morgan Fainberg (mdrnstm) → Colleen Murphy (krinkle)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.opendev.org/666739
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a38d4a650f3573065848a372254c63c3a6598979
Submitter: Zuul
Branch: master

commit a38d4a650f3573065848a372254c63c3a6598979
Author: morgan fainberg <email address hidden>
Date: Sat Aug 24 10:59:59 2019 -0700

    Add immutable option for roles and projects

    Add in support for immutable roles and projects (including domains).
    If the immutable option is set for a role or a project that
    resource may not:

    * Be Deleted

    * Be Updated, except to change the value of "immutable" from
      `True` to `False` or `None` (None explicitly unsets the
      resource option).

    * For projects (and domains), project tags cannot be created,
      updated, or deleted.

    The immutable check is performed at the manager layer allowing
    for exceptional code-cases to work directly with the driver.

    Change-Id: I2027b1235a260b7ae5d66cbd6c369773d9e99876
    Partial-bug: #1823258

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/675228
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a80d83e76dfb1114b8cd1b31bd2f175d36ae18ae
Submitter: Zuul
Branch: master

commit a80d83e76dfb1114b8cd1b31bd2f175d36ae18ae
Author: Colleen Murphy <email address hidden>
Date: Wed Aug 7 16:22:05 2019 -0700

    Add --immutable-roles flag to bootstrap command

    This implements Step 2 of the Proposed Change for Immutable
    Resources[1].

    [1] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/train/immutable-resources.html#proposed-change

    Change-Id: I4d99f630cb16e1d58261012e59d3a92c7035734c
    Partial-bug: #1823258

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/675509
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5e06ec8163249a7581b12db321036979b7d0604c
Submitter: Zuul
Branch: master

commit 5e06ec8163249a7581b12db321036979b7d0604c
Author: Colleen Murphy <email address hidden>
Date: Thu Aug 8 20:00:28 2019 -0700

    Add immutable roles status check

    This implements part 3 of the proposed change for immutable roles[1], as
    well as adds a release note.

    Part 4 (changing the default behavior of ``keystone-manage bootstrap``
    will have to come in the next cycle.

    [1] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/train/immutable-resources.html#proposed-change

    Change-Id: Ie9d658deb1fa69e9007f3c50535b5c48a7a292d1
    Partial-bug: #1823258

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/705859

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.opendev.org/705859
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=da28046944aaa5b6068d2cc8f14e72ef1de6c012
Submitter: Zuul
Branch: master

commit da28046944aaa5b6068d2cc8f14e72ef1de6c012
Author: Colleen Murphy <email address hidden>
Date: Tue Feb 4 14:06:41 2020 -0800

    Default to bootstrapping roles as immutable

    In the previous cycle, the ``--immutable-roles`` option was added to the
    bootstrap command as an optional way to opt-in to making the default
    roles immutable. Following step 4 of the spec[1], we now make that
    behavior the default and additionally offer a way to opt out of it.

    [1] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/train/immutable-resources.html#proposed-change

    Change-Id: I6b680efb2c87c1d7559ddcc989bbce68456b9a5f
    Closes-Bug: #1823258

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/712182

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (master)

Reviewed: https://review.opendev.org/712182
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=34f6144a47e2594851db0321ecec9c890b6337b2
Submitter: Zuul
Branch: master

commit 34f6144a47e2594851db0321ecec9c890b6337b2
Author: Colleen Murphy <email address hidden>
Date: Tue Mar 10 14:00:23 2020 -0700

    Document the "immutable" resource option

    Roles, projects, and domains can accept "immutable" as a resource
    option. This change explains the option in the admin guide and updates
    the API reference to mention it.

    Change-Id: I95926927472f6418f97a08fea0ebd56da04ce7a5
    Related-bug: #1823258

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.