yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #24997
[Bug 1387372] Re: double check admin password when update user password
** Changed in: python-keystoneclient
Status: New => Opinion
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1387372
Title:
double check admin password when update user password
Status in OpenStack Dashboard (Horizon):
In Progress
Status in Python client library for Keystone:
Opinion
Bug description:
As an Admin, you can change User passwords (see attached screenshot
for Horizon's Edit User modal).
However, it is a security issue that the Admin is not asked for his
OWN password when making changes. This issue surfaces when using the
Horizon dashboard.
For example if the logged in admin leaves an unattended computer,
someone can change the password of the logged in user successfully.
We should add an almost identical method here:
https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v3/users.py#L145
with add added admin password verification before changing password.
Then in Horizon, we can add a new field "Admin Password" as a
verification that the person changing the password is *really* the
logged in user.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1387372/+subscriptions