PCI: A user who's password has expired must ask an admin to reset their password.
Bug #1641645 reported by
Steve Martinelli
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Wishlist
|
Gage Hugo |
Bug Description
As noted in the bug title, this is a cumbersome process, a user should be able to reset their password if it expired.
(and potentially if locked out -- that's up for debate) (Discussed at 11/22/16 meeting, locked out from too many attempts should have to ask an admin)
Changed in keystone: | |
status: | New → Confirmed |
assignee: | nobody → Gage Hugo (gagehugo) |
summary: |
- PCI: a locked out user must ask an admin to unlock their account + PCI: A user who's password has expired must ask an admin to reset their + password. |
description: | updated |
Changed in keystone: | |
milestone: | ocata-2 → ocata-3 |
Changed in keystone: | |
assignee: | Gage Hugo (gagehugo) → Steve Martinelli (stevemar) |
Changed in keystone: | |
assignee: | Steve Martinelli (stevemar) → Gage Hugo (gagehugo) |
Changed in keystone: | |
assignee: | Gage Hugo (gagehugo) → Sean Dague (sdague) |
Changed in keystone: | |
assignee: | Sean Dague (sdague) → Gage Hugo (gagehugo) |
To post a comment you must log in.
Took a closer look at this today. I noticed that there appears to be a "chicken or egg" problem with this. You need a token to be able to change your password, but if your password has expired, then you cannot get a token. If you cannot get a token, then unfortunately, you cannot change your password. I am wondering if the solution for this is either:
- Give an unscoped (or a custom) token if your password has expired, then allow a user to change their password with that unscoped token. A user can already change their password with an unscoped token so this would just involve changing how a user with an expired password is currently handled to allow that user to get an unscoped token, even if their password has expired. Although the current unscoped token may allow an expired password user to be able to do more than we want (other than just changing your password)
- Allow a user to change their password if it has expired without a token. To change you password you already must know your user_id and current (expired) password, so you may not need a token as you can already identify who you are (in theory). This method seems a bit off though due to the removal of security.
- ???