python-keystoneclient

Remove password validation logic from client

Bug #1607436 reported by Ron De Rose on 2016-07-28

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	python-keystoneclient	Invalid	Undecided	Unassigned

Bug Description

When updating a password, keystoneclient checks whether the old password matches the new password, and if so raises an exception:

if old_password == new_password:
msg = _('Old password and new password must be different.')
raise exceptions.ValidationError(msg)

https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v3/users.py#L220-L222

With the addition of PCI-DSS, keystone validates password history, so this check can now be removed and keystoneclient can rely on keystone to perform this validation.

Ron De Rose (ronald-de-rose) on 2016-07-28

Changed in python-keystoneclient:
assignee:	nobody → Ron De Rose (ronald-de-rose)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-07-28: Fix proposed to python-keystoneclient (master)

#1

Fix proposed to branch: master
Review: https://review.openstack.org/348464

Changed in python-keystoneclient:
status:	New → In Progress

Revision history for this message

Brant Knudson (blk-u) wrote on 2016-07-28:

#2

keystoneclient needs to work with all versions of keystone, not just master (which hasn't been released yet).

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-07-28:

#3

yeah, what brant said. also what if i didn't opt-into PCI support, this would still be nice to have in the client if someone isn't using PCI

Revision history for this message

Henry Nash (henry-nash) wrote on 2016-07-28:

#4

and further, as to my comments on the server patch, if you pass in the old password into a user update, we treat it as a valid password change request, and put it in the password history...which I suspect means if you called that twice it would say "you've already used that password once". I still think the server needs to spot that the password being passed in is the same as the current one...

Revision history for this message

Ron De Rose (ronald-de-rose) wrote on 2016-07-28:

#5

I'd argue that if the business logic belongs in the client, then it probably belongs in keystone. The validation should be handled in keystone regardless of the version. If v2 keystone doesn't have this check, then either it's a bug or expected behavior. But again, the validation should happen in keystone.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-07-29: Change abandoned on python-keystoneclient (master)

#6

Change abandoned by Ron De Rose (<email address hidden>) on branch: master
Review: https://review.openstack.org/348464

Ron De Rose (ronald-de-rose) on 2016-07-29

Changed in python-keystoneclient:
status:	In Progress → Invalid
assignee:	Ron De Rose (ronald-de-rose) → nobody

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.