← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #30025

[Bug 1387372] Re: double check admin password when update user password

  Thread PreviousDate PreviousThread Next 
** Changed in: horizon
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1387372

Title:
  double check admin password when update user password

Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in Python client library for Keystone:
  Opinion

Bug description:
  As an Admin, you can change User passwords (see attached screenshot
  for Horizon's Edit User modal).

  However, it is a security issue that the Admin is not asked for his
  OWN password when making changes.  This issue surfaces when using the
  Horizon dashboard.

  For example if the logged in admin leaves an unattended computer,
  someone can change the password of the logged in user successfully.

  We should add an almost identical method here:
  https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v3/users.py#L145
  with add added admin password verification before changing password.

  Then in Horizon, we can add a new field "Admin Password" as a
  verification that the person changing the password is *really* the
  logged in user.

  Copying the response from the patch to give context on the change
  requested: While I agree that this patch does not provide a complete
  solution, it does close a hole which is typically caught and flagged
  when security audits are done on systems running in large enterprises.
  We have already see a real example of this being caught at an
  enterprise during a security audit. The shorter timeout solution would
  not enable the enterprise to pass its security audit. Having this
  option, even though its is a partial fix, will resolve a very
  irritating user experience issue that is being encountered. And again
  its optional but will be much appreciated by certain customer sets.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1387372/+subscriptions
  Thread PreviousDate PreviousThread Next