keystone v2 api change_password authz require also update_user authz

This is by design in v2 - that password update call is intended for administrators. In v3, we support a self-service password change that requires the user's existing password:

  https://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3.md#change-user-password-post-usersuser_idpassword

I figure that match after I submitted the bug report, but I forgot to add my finding, that there is special API request for user changing his own password https://github.com/openstack/keystone/blob/stable/icehouse/keystone/contrib/user_crud/core.py and that the action that I was referring to in the bug report is admin only (at least from the point of view of default policy rules).

My main confusion come from the policy rule identity:change_password, which span for both action but doesn't really work with the admin action, which i think it's confusing !

As far as I can tell in V3 things are better, with action POST /users/{user_id}/password to change own password (b/c it require knowing the original password and that's what the default policy.v3.json authorize "identity:change_password": "rule:owner"), and as admin changing a user password by sending update user action i.e. PATCH /users/{user_id}, right ?

Thanks,

> as admin changing a user password by sending update user action i.e. PATCH /users/{user_id}, right ?

+1