Bug 1465569 - [RFE] Provide a global ‘lock down your overcloud’ feature/setting
[RFE] Provide a global ‘lock down your overcloud’ feature/setting
Status: NEW
Product: Red Hat OpenStack
Classification: Red Hat
Component: rhosp-director (Show other bugs)
11.0 (Ocata)
Unspecified Unspecified
low Severity medium
: ---
: ---
Assigned To: Angus Thomas
Amit Ugol
: FutureFeature, Triaged
Depends On:
  Show dependency treegraph
Reported: 2017-06-27 12:17 EDT by Jon Thomas
Modified: 2018-05-23 21:49 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jon Thomas 2017-06-27 12:17:58 EDT
Split out from https://bugzilla.redhat.com/show_bug.cgi?id=1396227

Provide a global ‘lock down your overcloud’ feature/setting

As an integrated feature or as a externally documented procedure, provide a way to prohib major overcloud changes. Externally documented methods could do something with IPMI passwords or PXE network traffic to prevent redeployments.
Comment 4 Ben Nemec 2017-08-09 11:35:04 EDT
Note that we already document a method to prevent deletion of the overcloud: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/11/html/director_installation_and_usage/chap-performing_tasks_after_overcloud_creation#sect-Protecting_the_Overcloud_from_Removal

This wouldn't stop an admin from deleting a nova instance or a neutron port, although a similar technique could probably be used for those services' policy.json.
Comment 5 Jaromir Coufal 2017-08-10 16:07:19 EDT
Pushing out of OSP13, the locks will need to be revisited in other services. This bug can serve as tracker for future work.

Note You need to log in before you can comment on or make changes to this bug.