Comment 1 for bug 1337768

This is by design in v2 - that password update call is intended for administrators. In v3, we support a self-service password change that requires the user's existing password:

  https://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3.md#change-user-password-post-usersuser_idpassword