Bug 1021877

Summary: Note about Keystone v3 policy and changing own password
Product: Red Hat OpenStack Reporter: Julie Pichon <jpichon>
Component: openstack-keystoneAssignee: Summer Long <slong>
Status: CLOSED WONTFIX QA Contact: Ami Jeain <ajeain>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.0CC: athomas, ayoung, breeler, hateya, jpichon, yeylon
Target Milestone: ---Keywords: Documentation, Security
Target Release: 3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
The default policy in Keystone v3 lets a user change their own password without first confirming the current password. See "identity:update_user": [["rule:admin_or_owner"]] in /etc/keystone/policy.json. This only affects v3 as Keystone v2.0 offers a separate update_own_password API which requires confirming the old password, before setting a new one. The suggested fix is to change /etc/keystone/policy.json to read "identity:update_user": [["rule:admin_required"]] instead, so that only admin users have the ability to change the user information. Note that this means a regular user won't have any way to change their own password anymore.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-23 10:51:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Julie Pichon 2013-10-22 09:04:13 UTC 
Description of problem:

The default policy in Keystone v3 lets a user change their own password without first confirming the current password.

The suggested fix is to change /etc/keystone/policy.json from "identity:update_user": [["rule:admin_or_owner"]], to "identity:update_user": [["rule:admin_required"]], so that only admin users have the ability to do so.

It might be useful to mention this in the async release notes so that users may take the appropriate corrective action if desired.

Version-Release number of selected component (if applicable):
RHOS 3.0 (recently fixed in the RHOS 4.0 release - a new deployment shouldn't suffer from this).


Additional info:

See https://bugs.launchpad.net/horizon/+bug/1237989/ for the upstream discussion
See bug 1016647 for the internal bug and discussion

Note that it was not possible for a user to change their own password using Horizon in Grizzly / RHOS 3.0.
Comment 1 Julie Pichon 2013-10-23 10:51:25 UTC 
After discussing with Summer Long, this should be moved to the Identity component. There won't be a fix for stable/grizzly / RHOS 3.0 as configuration changes could have other repercussions. So this will be closed as WONTFIX with a doc text describing the issue.
Comment 4 Julie Pichon 2014-03-19 06:31:38 UTC 
This is no longer fully accurate: during Icehouse, Keystone added back a method for a user to update their own password. See https://blueprints.launchpad.net/keystone/+spec/v3-user-update-own-password .

However from the user's point of view, there are no changes yet as the keystone client hasn't been updated yet to reflect the change, so neither the CLI or Horizon can. This is being tracked in https://bugs.launchpad.net/horizon/+bug/1239757 and we're hoping that the patches will land in time for the Icehouse RC.