yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1337245] Re: Changing user password is totally mishandled

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: mouadino <1337245@xxxxxxxxxxxxxxxxxx>
Date: Fri, 04 Jul 2014 09:16:12 -0000
Reply-to: Bug 1337245 <1337245@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I will split the keystone bug in a separate one but for the clients it's
the same bug, right ?

** No longer affects: keystone

** Description changed:

Problems:
========

- 1. In v2 the set_user_password controller method call update_user,
- which mean that setting only 'identity:change_password' to 'rule:owner'
- will not works unless 'identity:update_user' is also changed to
- 'rule:owner' or similar.

- 2. Both the keystoneclient and openstackclient do a GET /v./users/<uid>
- before sending a PUT /users/<uid>/password which mean that to allow user
- to change his password from command line, user should also be able to do
- a get i.e. 'identity:get_user' should also be changed to 'rule:owner'.
+ 1. Both the keystoneclient and openstackclient do a GET /v./users/<uid> before sending a PUT /users/<uid>/password which mean that to allow user to change his password from command line, user should also be authz to do a get i.e. 'identity:get_user' policy rule should also be changed beside the 'identity:update_password'.

- 3. The openstackclient v3 doesn't use
+ 2. The openstackclient v3 doesn't use
identityclient.users.update_password for just updating the password
instead it use the full user update, which will not work with just
changing the 'identity:change_password'.

- NOTE: Stating the obvious, I picked up 'rule:owner' as an example, which
- is what make sense in our case, but the problem is not specific to this
- rule
+ 3. keystoneclient v3 doesn't allow changing other users password even
+ though the API support it.

--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1337245

Title:
Changing user password is totally mishandled

Status in Python client library for Keystone:
Incomplete
Status in OpenStack Command Line Client:
Incomplete

Bug description:
Problems:
========

1. Both the keystoneclient and openstackclient do a GET /v./users/<uid> before sending a PUT /users/<uid>/password which mean that to allow user to change his password from command line, user should also be authz to do a get i.e. 'identity:get_user' policy rule should also be changed beside the 'identity:update_password'.

2. The openstackclient v3 doesn't use
identityclient.users.update_password for just updating the password
instead it use the full user update, which will not work with just
changing the 'identity:change_password'.

3. keystoneclient v3 doesn't allow changing other users password even
though the API support it.

To manage notifications about this bug go to:
https://bugs.launchpad.net/python-keystoneclient/+bug/1337245/+subscriptions

References

[Bug 1337245] [NEW] Changing user password is totally mishandled
From: mouadino, 2014-07-03