Red Hat Bugzilla – Bug 1021877
Note about Keystone v3 policy and changing own password
Last modified: 2016-04-26 14:01:16 EDT
Description of problem:
The default policy in Keystone v3 lets a user change their own password without first confirming the current password.
The suggested fix is to change /etc/keystone/policy.json from "identity:update_user": [["rule:admin_or_owner"]], to "identity:update_user": [["rule:admin_required"]], so that only admin users have the ability to do so.
It might be useful to mention this in the async release notes so that users may take the appropriate corrective action if desired.
Version-Release number of selected component (if applicable):
RHOS 3.0 (recently fixed in the RHOS 4.0 release - a new deployment shouldn't suffer from this).
See https://bugs.launchpad.net/horizon/+bug/1237989/ for the upstream discussion
See bug 1016647 for the internal bug and discussion
Note that it was not possible for a user to change their own password using Horizon in Grizzly / RHOS 3.0.
After discussing with Summer Long, this should be moved to the Identity component. There won't be a fix for stable/grizzly / RHOS 3.0 as configuration changes could have other repercussions. So this will be closed as WONTFIX with a doc text describing the issue.
This is no longer fully accurate: during Icehouse, Keystone added back a method for a user to update their own password. See https://blueprints.launchpad.net/keystone/+spec/v3-user-update-own-password .
However from the user's point of view, there are no changes yet as the keystone client hasn't been updated yet to reflect the change, so neither the CLI or Horizon can. This is being tracked in https://bugs.launchpad.net/horizon/+bug/1239757 and we're hoping that the patches will land in time for the Icehouse RC.