← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1387372] Re: double check admin password when update user password

 

** Changed in: python-keystoneclient
       Status: New => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1387372

Title:
  double check admin password when update user password

Status in OpenStack Dashboard (Horizon):
  In Progress
Status in Python client library for Keystone:
  Opinion

Bug description:
  As an Admin, you can change User passwords (see attached screenshot
  for Horizon's Edit User modal).

  However, it is a security issue that the Admin is not asked for his
  OWN password when making changes.  This issue surfaces when using the
  Horizon dashboard.

  For example if the logged in admin leaves an unattended computer,
  someone can change the password of the logged in user successfully.

  We should add an almost identical method here:
  https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v3/users.py#L145
  with add added admin password verification before changing password.

  Then in Horizon, we can add a new field "Admin Password" as a
  verification that the person changing the password is *really* the
  logged in user.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1387372/+subscriptions