diff --git a/specs/liberty/root-disable.rst b/specs/liberty/root-disable.rst new file mode 100644 index 0000000..a5c852a --- /dev/null +++ b/specs/liberty/root-disable.rst @@ -0,0 +1,171 @@ +.. + This work is licensed under a Creative Commons Attribution 3.0 Unported + License. + + http://creativecommons.org/licenses/by/3.0/legalcode + + Sections of this template were taken directly from the Nova spec + template at: + https://github.com/openstack/nova-specs/blob/master/specs/template.rst +.. + +============ +Root Disable +============ + +Include the URL of your launchpad blueprint: + +https://blueprints.launchpad.net/trove/+spec/root-disable + +Since there is the ability to enable a root user on an instance the +ability to disable the root user should be provided as well. + +Problem Description +=================== + +Currently, the root user can be enabled on an instance. It is expected +that the root user can also be disabled. + +Disabling the root user should not change the ability of the command +root-show to determine if the root user has ever been enabled. + + +Proposed Change +=============== + +This change will add a new root-disable command. + +The command will remove the root user from the specified instance. No changes +will be made in the root_enable_history table from the execution of the +command. This ensures the root-show command will continue to operate as +expected. + +Configuration +------------- + +None + +Database +-------- + +None + +Public API +---------- + +REST API: + + DELETE /instances/{id}/root + +Public API Security +------------------- + +None + +Python API +---------- + +Python API in class Root: + + def delete(self, instance): + """Implements root-disable API. + + Removes the root user for the specified db instance. + + :param instance: The instance from which the root user is removed from + + """ + +CLI (python-troveclient) +------------------------ + +CLI: + + trove root-disable + +Internal API +------------ + +None + +Guest Agent +----------- + +The appropriate root disable method will added only for MySQL. All other +datastores will also need to have the appropriate not implemented error. + +Alternatives +------------ + +Another option is root-disable will simply call root-enable and not return +the password back to the user. This alternative also has no impact on the +root-show. + +However, an operator may believe the root user to be completely removed from +the database after the root-disable call is made. Leaving the root user +may not be what the operator is expecting. + +Discussion Summary +------------------ +Some concerns were raised during the discussion of this blueprint. The full +details can be found here https://review.openstack.org/#/c/189837/. + +In summary the concerns revolved around the fact that after the user performs +a root enable the following issues can occur. + +1. A security hole exists where a user can create an alternate root user, + drop the existing root user and do a backup then restore leaving no trace + that the root user has been enabled for the restored database and an + "unknown" alternate root user is left in the restored database. +2. The enabled root user can change the management user access leaving the + instance in a state that cannot be managed via Trove. + +It was determined that adding the root-disable command does not cause or make +the concerns raised above to be any worse than already exists. + +Implementation +============== + +Assignee(s) +----------- + +Primary assignee: + dloi + +Milestones +---------- + +liberty-1 + +Work Items +---------- + +- Implement CLI, Python API and REST API calls +- In the guest add disable_root method for MySQL database and not implemented + stubs for all other datastores +- Unit and integration tests + +Upgrade Implications +==================== + +None + +Dependencies +============ + +None + +Testing +======= + +Add to existing root enable tests to test disabling the root user. + +Documentation Impact +==================== + +New root-disable command needs to be added to the API documentation. + +References +========== + +None \ No newline at end of file