Comment 6 for bug 1791111

I was able to verify this feature works, but more importantly why this was failing for Paul. I did the following

 1. Created a new user called lbragstad with a password of `password`
 2. Set keystone.conf [security_compliance] change_password_upon_first_user = True
 3. Restarted keystone to apply the config changes
 4. Attempted to change my password as lbragstad using python-openstackclient

This actually fails because python-openstackclient is going to attempt to get a token from keystone as the user authenticating (lbragstad in this case). This is doine for discovery purposes, but it results in a 401 because of the logic in keystone.

Alternatively, if I build a request to change my password and use keystone API directly, I can successfully change my password [0].

Hopefully this helps. I agree with Morgan in that we need to update the clients and horizon to be smarter about this specific API and forego getting a token to avoid the 401.

[0] http://paste.openstack.org/raw/731863/