openstack client help shows domain can be changed for a project

Bug #1418384 reported by apal on 2015-02-05
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Steve Martinelli

Bug Description

(openstack) project set admin-apal -h
usage: project set [-h] [--name <name>] [--domain <domain>]
[--description <description>] [--enable | --disable]
[--property <key=value>]
Set project properties
positional arguments:
<project> Project to modify (name or ID)
optional arguments:
-h, --help show this help message and exit
--name <name> Set project name
--domain <domain> Set domain owning <project> (name or ID)
--description <description>
Set project description
--enable Enable project
--disable Disable project
--property <key=value>
Set a property on <project> (repeat option to set
multiple properties)
(openstack) project set admin-apal --domain admin-apal
ERROR: openstack Cannot change Domain ID (HTTP 400)

apal (yun-song) on 2015-02-06
tags: added: documentation
Morgan Fainberg (mdrnstm) wrote :

It is not supported to move a project between domains by design (as you can see by the error). This is for a number of reasons, notably around security.

I am not sure the best document for this to go into. The error is not a very deep explanation of what happened when filtered through the openstack client interface (but it still makes sense, the Domain ID cannot be changed).

Changed in keystone:
importance: Undecided → Low
status: New → Triaged
Morgan Fainberg (mdrnstm) wrote :

Aha, Just re-read this. This is a bug in openstack client. updating to show details.

summary: - document show --domain option but openstack cannot change project Domain
- ID
+ openstack client help shows domain can be changed for a project
Morgan Fainberg (mdrnstm) wrote :

Added openstackclient to the bug. This is working as intended in Keystone. I am marking this as invalid in keystone.

Changed in keystone:
status: Triaged → Invalid
Steve Martinelli (stevemar) wrote :
Changed in python-openstackclient:
status: New → In Progress
assignee: nobody → Steve Martinelli (stevemar)
milestone: none → m8
importance: Undecided → Medium

Submitter: Jenkins
Branch: master

commit dca99782052da052aebea653bfbfc3dfc9a96a0e
Author: Steve Martinelli <email address hidden>
Date: Sun Feb 8 23:45:32 2015 -0500

    Do not allow user to change domain of a project

    Keystone Server already surfaces an error for this operation, but
    we should restrict the user, and not offer --domain to be changed
    for a project.

    Change-Id: I48317e8accfea3c285e6ad213e75b783de8070ac
    Closes-Bug: #1418384

Changed in python-openstackclient:
status: In Progress → Fix Committed

Submitter: Jenkins
Branch: master

commit 07c4fa9d4bde6f3d0a38bc4d7eb3df275e0b89cc
Author: Steve Martinelli <email address hidden>
Date: Sun Feb 8 23:52:56 2015 -0500

    Restrict groups and users from changing domains

    Similar to projects, we shouldn't allow users and groups to
    change domains. The server side tosses up an error but osc
    should restrict that behaviour in the first place.

    Related-Bug: #1418384

    Change-Id: I860291a5859c576021b18e35d1a12c32abfb6ca5

Dean Troyer (dtroyer) on 2015-03-10
Changed in python-openstackclient:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers