yahoo-eng-team team mailing list archive

[mouadino <1337245@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

Problems:
========

 1. There is a special RBAC entry for identity:change_password in v2 but no in the v3 default policy.json that come with the keystone repository.
 
 2. In v2 the set_user_password controller method call update_user, which mean that setting only 'identity:change_password' to 'rule:owner' will not works unless 'identity:update_user' is also changed to 'rule:owner' or similar.
 
 3. Both the keystoneclient and openstackclient do a GET /v./users/<uid> before sending a PUT /users/<uid>/password which mean that to allow user to change his password from command line, user should also be able to do a get i.e. 'identity:get_user' should also be changed to 'rule:owner'.

 4. The openstackclient v3 doesn't use
identityclient.users.update_password for just updating the password
instead it use the full user update, which will not work with just
changing the 'identity:change_password'.

NOTE: Stating the obvious, I picked up 'rule:owner' as an example, which
is what make sense in our case, but the problem is not specific to this
rule

** Affects: keystone
     Importance: Undecided
     Assignee: mouadino (mouadino)
         Status: New

** Affects: python-keystoneclient
     Importance: Undecided
     Assignee: mouadino (mouadino)
         Status: New

** Affects: python-openstackclient
     Importance: Undecided
     Assignee: mouadino (mouadino)
         Status: New

** Also affects: python-openstackclient
   Importance: Undecided
       Status: New

** Also affects: python-keystoneclient
   Importance: Undecided
       Status: New

** Summary changed:

- Changing own password is totally mishandled
+ Changing user password is totally mishandled

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1337245

Title:
  Changing user password is totally mishandled

Status in OpenStack Identity (Keystone):
  New
Status in Python client library for Keystone:
  New
Status in OpenStack Command Line Client:
  New

Bug description:
  Problems:
  ========

   1. There is a special RBAC entry for identity:change_password in v2 but no in the v3 default policy.json that come with the keystone repository.
   
   2. In v2 the set_user_password controller method call update_user, which mean that setting only 'identity:change_password' to 'rule:owner' will not works unless 'identity:update_user' is also changed to 'rule:owner' or similar.
   
   3. Both the keystoneclient and openstackclient do a GET /v./users/<uid> before sending a PUT /users/<uid>/password which mean that to allow user to change his password from command line, user should also be able to do a get i.e. 'identity:get_user' should also be changed to 'rule:owner'.

   4. The openstackclient v3 doesn't use
  identityclient.users.update_password for just updating the password
  instead it use the full user update, which will not work with just
  changing the 'identity:change_password'.

  NOTE: Stating the obvious, I picked up 'rule:owner' as an example,
  which is what make sense in our case, but the problem is not specific
  to this rule

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1337245/+subscriptions