Version ======= rhos 4.0 on rhel 6.5, puddle 2013-10-03.3 Description =========== Scenario: 1. Login to horizon, you can choose any user, either admin or non-admin 2. Click on the Setting link on the right-up corner 3. Choose the Change Password vertical-tab 4. Enter a wrong "Current Password" value 5. Enter a new password in the New Password and New Password Confirm bixes The password will be changed to the new one althought the old password is wrong. Note that you're requested to provide a non-empty value in the Current Password box in order to proceed with the change password operation.
(In reply to Rami Vaknin from comment #0) > Version > ======= > rhos 4.0 on rhel 6.5, puddle 2013-10-03.3 > > Description > =========== > > Scenario: > > 1. Login to horizon, you can choose any user, either admin or non-admin > 2. Click on the Setting link on the right-up corner > 3. Choose the Change Password vertical-tab > 4. Enter a wrong "Current Password" value > 5. Enter a new password in the New Password and New Password Confirm bixes > > The password will be changed to the new one althought the old password is > wrong. > > Note that you're requested to provide a non-empty value in the Current > Password box in order to proceed with the change password operation. Do you know if this also affects upstream as well? If unknown that's ok.
(In reply to Kurt Seifried from comment #2) > (In reply to Rami Vaknin from comment #0) > > Version > > ======= > > rhos 4.0 on rhel 6.5, puddle 2013-10-03.3 > > > > Description > > =========== > > > > Scenario: > > > > 1. Login to horizon, you can choose any user, either admin or non-admin > > 2. Click on the Setting link on the right-up corner > > 3. Choose the Change Password vertical-tab > > 4. Enter a wrong "Current Password" value > > 5. Enter a new password in the New Password and New Password Confirm bixes > > > > The password will be changed to the new one althought the old password is > > wrong. > > > > Note that you're requested to provide a non-empty value in the Current > > Password box in order to proceed with the change password operation. > > Do you know if this also affects upstream as well? If unknown that's ok. Sorry but I don't know, I have no upstream version in hands ATM.
Also affects upstream version!
tl;dr from upstream bug: * fix in Horizon was to disable change password functionality on keystone v3 * Keystone server fix is to make default policy more restrictive and require adminess to change password in v3 * Identity v3 gap will be closed in Icehouse with API allowing update_own_password functionality from v2
Verified NVR: python-django-horizon-2013.2-0.15.rc2.el6ost.noarch Followed the steps in Comment #0 both for admin and non-admin users. The option for a user to change his own password is now disabled, and hence not present at the UI.
However the previous version we shipped, as well as upstream allowed this password change in past without verifying the password, correct?
Kurt, we didn't ship that version, as it's a pre-release. In earlier, i.e. Grizzly installs, Horizon didn't support keystone v3, and only keystone v3 is affected with this issue. From the launchpad bug: For the OSSN crew: We need to warn Grizzly users that they may not be as secure as they think with the Grizzly default for "user_update" policy and should consider changing it to "admin_required". This affects keystone in grizzly(2013.1.x); havana (2013.2.x) is not affected.
An effort at documenting this for the release notes was made in bug 1021877.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2013-1859.html