As an Admin, you can change User passwords (see attached screenshot for Horizon's Edit User modal).
However, it is a security issue that the Admin is not asked for his OWN password when making changes. This issue surfaces when using the Horizon dashboard.
For example if the logged in admin leaves an unattended computer, someone can change the password of the logged in user successfully.
We should add an almost identical method here:
https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v3/users.py#L145
with add added admin password verification before changing password.
Then in Horizon, we can add a new field "Admin Password" as a verification that the person changing the password is *really* the logged in user.
Copying the response from the patch to give context on the change requested: While I agree that this patch does not provide a complete solution, it does close a hole which is typically caught and flagged when security audits are done on systems running in large enterprises. We have already see a real example of this being caught at an enterprise during a security audit. The shorter timeout solution would not enable the enterprise to pass its security audit. Having this option, even though its is a partial fix, will resolve a very irritating user experience issue that is being encountered. And again its optional but will be much appreciated by certain customer sets.
For reference, bug 1226828 which was closed and not deemed a security issue at the time. Doesn't mean it isn't worth revisiting though, it's good keystone is mentioned since we'll want to be matching behaviour.