Bug 1021877
Summary: | Note about Keystone v3 policy and changing own password | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Julie Pichon <jpichon> |
Component: | openstack-keystone | Assignee: | Summer Long <slong> |
Status: | CLOSED WONTFIX | QA Contact: | Ami Jeain <ajeain> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 3.0 | CC: | athomas, ayoung, breeler, hateya, jpichon, yeylon |
Target Milestone: | --- | Keywords: | Documentation, Security |
Target Release: | 3.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Known Issue | |
Doc Text: |
The default policy in Keystone v3 lets a user change their own password without first confirming the current password. See "identity:update_user": [["rule:admin_or_owner"]] in /etc/keystone/policy.json. This only affects v3 as Keystone v2.0 offers a separate update_own_password API which requires confirming the old password, before setting a new one.
The suggested fix is to change /etc/keystone/policy.json to read "identity:update_user": [["rule:admin_required"]] instead, so that only admin users have the ability to change the user information. Note that this means a regular user won't have any way to change their own password anymore.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2013-10-23 10:51:25 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Julie Pichon
2013-10-22 09:04:13 UTC
After discussing with Summer Long, this should be moved to the Identity component. There won't be a fix for stable/grizzly / RHOS 3.0 as configuration changes could have other repercussions. So this will be closed as WONTFIX with a doc text describing the issue. This is no longer fully accurate: during Icehouse, Keystone added back a method for a user to update their own password. See https://blueprints.launchpad.net/keystone/+spec/v3-user-update-own-password . However from the user's point of view, there are no changes yet as the keystone client hasn't been updated yet to reflect the change, so neither the CLI or Horizon can. This is being tracked in https://bugs.launchpad.net/horizon/+bug/1239757 and we're hoping that the patches will land in time for the Icehouse RC. |