User/Project deletions

[jkrue]

Current situation

All actions on Keystone are processed immediately.

What does that mean ?

The user / project data is propagated by Perun and processed by the Perun Keystone Adapter. Any changes in the propagated data follows an update of Keystone. For any additions or modifications (user_create, user_update, projects_create and project_update) this seems to be ok. But, a missing user or project in the propagated database is also removed from keystone in time. In my opinion this is a dangerous/unsafe behaviour.

Idea for a maybe better (safer) handling:

Instead of an immediately processing we could deactivate the concerned user/project first and delete it then :

1. manually
2. after a fixed period of time (one day, several day, a week)
3. after one or more confirmations (which could be the next pushed dataset)
4. a mixture of that above

[jkrue]

When a project is deleted its bound resources are normally not deleted.

• Router
• Networks (Subnetworks)
• Floating ips
• Images
• Volumes Maybe this also true for running (or stopped) instances, I've to check this.

However, when a project is removed we must consequently remove also all resources bound by this project. This might be not a good idea ...

Instead of deleting the project we could

• disable it and mark it as 'to be deleted'
• stop (or terminate) all running instances
• free occupied floating-ips

[jkrue]

The feature branch denbi_portal_compute_center (recently merged) realizes the discussed solution. Delete an user or project using the library function disable and tag it as deleted. The library also offers a termination function which allows to really delete a tagged user/project.