project disabled/deleted notification recommendations

These recommendations represent the outcome of the Keystone/Barbican
cross-project discussion regarding:

  https://review.openstack.org/#/c/99658/

This discussion occurred at the keystone hackathon for Juno.

Change-Id: Ib67c85a9f900ef0a6a346cdbf3280b3a8f977ad7

doc/source/event_notifications.rst

@@ -66,7 +66,7 @@ notification will be sent.  Information about the error is handled through
 normal exception paths.
 
 Notification Example
-^^^^^^^^^^^^^^^^^^^^
+--------------------
 
 This is an example of a notification sent for a newly created user::
 
@@ -81,6 +81,21 @@ This is an example of a notification sent for a newly created user::
         "timestamp": "2013-08-29 19:03:45.960280"
     }
 
+Recommendations for consumers
+-----------------------------
+
+One of the most important notifications that Keystone emits is for project
+deletions (``event_type`` = ``identity.project.deleted``). This event should
+indicate to the rest of OpenStack that all resources (such as virtual machines)
+associated with the project should be deleted.
+
+Projects can also have update events (``event_type`` =
+``identity.project.updated``), wherein the project has been disabled. Keystone
+ensures this has an immediate impact on the accessibility of the project's
+resources by revoking tokens with authorization on the project, but should
+**not** have a direct impact on the projects resources (in other words, virtual
+machines should **not** be deleted).
+
 Auditing with CADF
 ==================