Root Disable

Root Disable

Include the URL of your launchpad blueprint:

Since there is the ability to enable a root user on an instance the ability to disable the root user should be provided as well.

Problem Description

Currently, the root user can be enabled on an instance. It is expected that the root user can also be disabled.

Disabling the root user should not change the ability of the command root-show to determine if the root user has ever been enabled.

Proposed Change

This change will add a new root-disable command.

The command will remove the root user from the specified instance. No changes will be made in the root_enable_history table from the execution of the command. This ensures the root-show command will continue to operate as expected.





Public API


DELETE /instances/{id}/root

Public API Security


Python API

Python API in class Root:

def delete(self, instance):

“”“Implements root-disable API.

Removes the root user for the specified db instance.

param instance

The instance from which the root user is removed from


CLI (python-troveclient)


trove root-disable <instance>

Internal API


Guest Agent

The appropriate root disable method will added only for MySQL. All other datastores will also need to have the appropriate not implemented error.


Another option is root-disable will simply call root-enable and not return the password back to the user. This alternative also has no impact on the root-show.

However, an operator may believe the root user to be completely removed from the database after the root-disable call is made. Leaving the root user may not be what the operator is expecting.

Discussion Summary

Some concerns were raised during the discussion of this blueprint. The full details can be found here

In summary the concerns revolved around the fact that after the user performs a root enable the following issues can occur.

  1. A security hole exists where a user can create an alternate root user, drop the existing root user and do a backup then restore leaving no trace that the root user has been enabled for the restored database and an “unknown” alternate root user is left in the restored database.

  2. The enabled root user can change the management user access leaving the instance in a state that cannot be managed via Trove.

It was determined that adding the root-disable command does not cause or make the concerns raised above to be any worse than already exists.



Primary assignee:




Work Items

  • Implement CLI, Python API and REST API calls

  • In the guest add disable_root method for MySQL database and not implemented stubs for all other datastores

  • Unit and integration tests

Upgrade Implications





Add to existing root enable tests to test disabling the root user.

Documentation Impact

New root-disable command needs to be added to the API documentation.



Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.

trove-specs 0.0.1.dev177