Back to bug 1021877
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Julie Pichon | 2013-10-22 09:05:26 UTC | Keywords | Security | |
| Target Release | --- | 3.0 | ||
| RHEL Program Management | 2013-10-22 09:11:04 UTC | Keywords | Documentation | |
| Julie Pichon | 2013-10-23 10:51:25 UTC | Status | NEW | CLOSED |
| CC | ayoung, pmyers | |||
| Component | doc-Technical_Notes | openstack-keystone | ||
| Resolution | --- | WONTFIX | ||
| Doc Text | Cause: The default policy in Keystone v3 lets a user change their own password without first confirming the current password. See "identity:update_user": [["rule:admin_or_owner"]] in /etc/keystone/policy.json. This only affects v3 as Keystone v2.0 offers a separate update_own_password API which requires confirming the old password, before setting a new one. Workaround (if any): The suggested fix is to change /etc/keystone/policy.json to read "identity:update_user": [["rule:admin_required"]] instead, so that only admin users have the ability to change the user information. Note that this means a regular user won't have any way to change their own password anymore. | |||
| QA Contact | ecs-bugs | ajeain | ||
| Doc Type | Bug Fix | Known Issue | ||
| Last Closed | 2013-10-23 06:51:25 UTC | |||
| Bruce Reeler | 2013-11-04 07:37:46 UTC | CC | breeler | |
| Doc Text | Cause: The default policy in Keystone v3 lets a user change their own password without first confirming the current password. See "identity:update_user": [["rule:admin_or_owner"]] in /etc/keystone/policy.json. This only affects v3 as Keystone v2.0 offers a separate update_own_password API which requires confirming the old password, before setting a new one. Workaround (if any): The suggested fix is to change /etc/keystone/policy.json to read "identity:update_user": [["rule:admin_required"]] instead, so that only admin users have the ability to change the user information. Note that this means a regular user won't have any way to change their own password anymore. | The default policy in Keystone v3 lets a user change their own password without first confirming the current password. See "identity:update_user": [["rule:admin_or_owner"]] in /etc/keystone/policy.json. This only affects v3 as Keystone v2.0 offers a separate update_own_password API which requires confirming the old password, before setting a new one. The suggested fix is to change /etc/keystone/policy.json to read "identity:update_user": [["rule:admin_required"]] instead, so that only admin users have the ability to change the user information. Note that this means a regular user won't have any way to change their own password anymore. |
||
| Summer Long | 2014-03-18 21:48:13 UTC | CC | jpichon | |
| Flags | needinfo?(jpichon) | |||
| Julie Pichon | 2014-03-19 06:31:38 UTC | Flags | needinfo?(jpichon) | |
| John Skeoch | 2015-02-15 22:02:30 UTC | CC | athomas | |
| Perry Myers | 2016-04-26 18:01:16 UTC | CC | pmyers |
Back to bug 1021877