openstack client help shows domain can be changed for a project
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | OpenStack Identity (keystone) |
Low
|
Unassigned | ||
| | python-openstackclient |
Fix Released
|
Medium
|
Steve Martinelli | |
Bug Description
(openstack) project set admin-apal -h
usage: project set [-h] [--name <name>] [--domain <domain>]
[--description <description>] [--enable | --disable]
[--property <key=value>]
<project>
Set project properties
positional arguments:
<project> Project to modify (name or ID)
optional arguments:
-h, --help show this help message and exit
--name <name> Set project name
--domain <domain> Set domain owning <project> (name or ID)
--description <description>
Set project description
--enable Enable project
--disable Disable project
--property <key=value>
Set a property on <project> (repeat option to set
multiple properties)
(openstack) project set admin-apal --domain admin-apal
ERROR: openstack Cannot change Domain ID (HTTP 400)
| tags: | added: documentation |
| Morgan Fainberg (mdrnstm) wrote : | #1 |
| Changed in keystone: | |
| importance: | Undecided → Low |
| status: | New → Triaged |
| Morgan Fainberg (mdrnstm) wrote : | #2 |
Aha, Just re-read this. This is a bug in openstack client. updating to show details.
| summary: |
- document show --domain option but openstack cannot change project Domain - ID + openstack client help shows domain can be changed for a project |
| Morgan Fainberg (mdrnstm) wrote : | #3 |
Added openstackclient to the bug. This is working as intended in Keystone. I am marking this as invalid in keystone.
| Changed in keystone: | |
| status: | Triaged → Invalid |
| Steve Martinelli (stevemar) wrote : | #4 |
refer to patch: https:/
| Steve Martinelli (stevemar) wrote : | #5 |
also refer to: https:/
| Changed in python-openstackclient: | |
| status: | New → In Progress |
| assignee: | nobody → Steve Martinelli (stevemar) |
| milestone: | none → m8 |
| importance: | Undecided → Medium |
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: master
commit dca99782052da05
Author: Steve Martinelli <email address hidden>
Date: Sun Feb 8 23:45:32 2015 -0500
Do not allow user to change domain of a project
Keystone Server already surfaces an error for this operation, but
we should restrict the user, and not offer --domain to be changed
for a project.
Change-Id: I48317e8accfea3
Closes-Bug: #1418384
| Changed in python-openstackclient: | |
| status: | In Progress → Fix Committed |
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: master
commit 07c4fa9d4bde6f3
Author: Steve Martinelli <email address hidden>
Date: Sun Feb 8 23:52:56 2015 -0500
Restrict groups and users from changing domains
Similar to projects, we shouldn't allow users and groups to
change domains. The server side tosses up an error but osc
should restrict that behaviour in the first place.
Related-Bug: #1418384
Change-Id: I860291a5859c57
| Changed in python-openstackclient: | |
| status: | Fix Committed → Fix Released |
It is not supported to move a project between domains by design (as you can see by the error). This is for a number of reasons, notably around security.
I am not sure the best document for this to go into. The error is not a very deep explanation of what happened when filtered through the openstack client interface (but it still makes sense, the Domain ID cannot be changed).