Root Disable

Include the URL of your launchpad blueprint:

https://blueprints.launchpad.net/trove/+spec/root-disable

Since there is the ability to enable a root user on an instance the ability to disable the root user should be provided as well.

Problem Description

Currently, the root user can be enabled on an instance. It is expected that the root user can also be disabled.

Disabling the root user should not change the ability of the command root-show to determine if the root user has ever been enabled.

Proposed Change

This change will add a new root-disable command.

The command will remove the root user from the specified instance. No changes will be made in the root_enable_history table from the execution of the command. This ensures the root-show command will continue to operate as expected.

Configuration

None

Database

None

Public API

REST API:

DELETE /instances/{id}/root

Public API Security

None

Python API

Python API in class Root:

def delete(self, instance):

“””Implements root-disable API.

Removes the root user for the specified db instance.

param instance

The instance from which the root user is removed from

“””

CLI (python-troveclient)

CLI:

trove root-disable <instance>

Internal API

None

Guest Agent

The appropriate root disable method will added only for MySQL. All other datastores will also need to have the appropriate not implemented error.

Alternatives

Another option is root-disable will simply call root-enable and not return the password back to the user. This alternative also has no impact on the root-show.

However, an operator may believe the root user to be completely removed from the database after the root-disable call is made. Leaving the root user may not be what the operator is expecting.

Discussion Summary

Some concerns were raised during the discussion of this blueprint. The full details can be found here https://review.openstack.org/#/c/189837/.

In summary the concerns revolved around the fact that after the user performs a root enable the following issues can occur.

  1. A security hole exists where a user can create an alternate root user, drop the existing root user and do a backup then restore leaving no trace that the root user has been enabled for the restored database and an “unknown” alternate root user is left in the restored database.

  2. The enabled root user can change the management user access leaving the instance in a state that cannot be managed via Trove.

It was determined that adding the root-disable command does not cause or make the concerns raised above to be any worse than already exists.

Implementation

Assignee(s)

Primary assignee:

dloi

Milestones

liberty-1

Work Items

  • Implement CLI, Python API and REST API calls

  • In the guest add disable_root method for MySQL database and not implemented stubs for all other datastores

  • Unit and integration tests

Upgrade Implications

None

Dependencies

None

Testing

Add to existing root enable tests to test disabling the root user.

Documentation Impact

New root-disable command needs to be added to the API documentation.

References

None