← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #75216

[Bug 1791111] Re: allow change password upon first use as user

  Thread PreviousDate PreviousThread Next 
I was able to verify this feature works, but more importantly why this
was failing for Paul. I did the following

 1. Created a new user called lbragstad with a password of `password`
 2. Set keystone.conf [security_compliance] change_password_upon_first_user = True
 3. Restarted keystone to apply the config changes
 4. Attempted to change my password as lbragstad using python-openstackclient

This actually fails because python-openstackclient is going to attempt
to get a token from keystone as the user authenticating (lbragstad in
this case). This is doine for discovery purposes, but it results in a
401 because of the logic in keystone.

Alternatively, if I build a request to change my password and use
keystone API directly, I can successfully change my password [0].

Hopefully this helps. I agree with Morgan in that we need to update the
clients and horizon to be smarter about this specific API and forego
getting a token to avoid the 401.

[0] http://paste.openstack.org/raw/731863/

** Also affects: python-openstackclient
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1791111

Title:
  allow change password upon first use as user

Status in OpenStack Dashboard (Horizon):
  New
Status in OpenStack Identity (keystone):
  Invalid
Status in python-openstackclient:
  New

Bug description:
  It's impossible to reset your password in user level if
  "change_password_upon_first_use" is set.

  keystone.conf:
  [security_compliance]
  change_password_upon_first_use = True

  For new users it's impossible to reset your password via keystone. You
  can only reset the password via an admin, which created the user in
  the first place. So now the change_password_upon_first_use is kinda
  useless.

  (test2@test) [root@controller1 ~]# openstack user password set
  The password is expired and needs to be changed for user: bd3cc251fe694b15be88c443aa752ec1. (HTTP 401) (Request-ID: req-cdc7ddaf-d2ec-49ac-9708-2693811eb819)

  Desired situation: User can reset it's own password on first use.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1791111/+subscriptions

References

  Thread PreviousDate PreviousThread Next