Bug 1021877 - Note about Keystone v3 policy and changing own password
Note about Keystone v3 policy and changing own password
Status: CLOSED WONTFIX
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone (Show other bugs)
3.0
Unspecified Unspecified
unspecified Severity unspecified
: ---
: 3.0
Assigned To: Summer Long
Ami Jeain
: Documentation, Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-22 05:04 EDT by Julie Pichon
Modified: 2016-04-26 14:01 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Known Issue
Doc Text:
The default policy in Keystone v3 lets a user change their own password without first confirming the current password. See "identity:update_user": [["rule:admin_or_owner"]] in /etc/keystone/policy.json. This only affects v3 as Keystone v2.0 offers a separate update_own_password API which requires confirming the old password, before setting a new one. The suggested fix is to change /etc/keystone/policy.json to read "identity:update_user": [["rule:admin_required"]] instead, so that only admin users have the ability to change the user information. Note that this means a regular user won't have any way to change their own password anymore.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-23 06:51:25 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 1237989 None None None Never

  None (edit)
Description Julie Pichon 2013-10-22 05:04:13 EDT
Description of problem:

The default policy in Keystone v3 lets a user change their own password without first confirming the current password.

The suggested fix is to change /etc/keystone/policy.json from "identity:update_user": [["rule:admin_or_owner"]], to "identity:update_user": [["rule:admin_required"]], so that only admin users have the ability to do so.

It might be useful to mention this in the async release notes so that users may take the appropriate corrective action if desired.

Version-Release number of selected component (if applicable):
RHOS 3.0 (recently fixed in the RHOS 4.0 release - a new deployment shouldn't suffer from this).


Additional info:

See https://bugs.launchpad.net/horizon/+bug/1237989/ for the upstream discussion
See bug 1016647 for the internal bug and discussion

Note that it was not possible for a user to change their own password using Horizon in Grizzly / RHOS 3.0.
Comment 1 Julie Pichon 2013-10-23 06:51:25 EDT
After discussing with Summer Long, this should be moved to the Identity component. There won't be a fix for stable/grizzly / RHOS 3.0 as configuration changes could have other repercussions. So this will be closed as WONTFIX with a doc text describing the issue.
Comment 4 Julie Pichon 2014-03-19 02:31:38 EDT
This is no longer fully accurate: during Icehouse, Keystone added back a method for a user to update their own password. See https://blueprints.launchpad.net/keystone/+spec/v3-user-update-own-password .

However from the user's point of view, there are no changes yet as the keystone client hasn't been updated yet to reflect the change, so neither the CLI or Horizon can. This is being tracked in https://bugs.launchpad.net/horizon/+bug/1239757 and we're hoping that the patches will land in time for the Icehouse RC.

Note You need to log in before you can comment on or make changes to this bug.