OpenStack Identity (keystone)

policy rule identity:change password is no longer needed

Bug #1705485 reported by prashkre on 2017-07-20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Low	Lance Bragstad	OpenStack Identity (keystone) pike-rc1 "pike-rc1"

Bug Description

With policy in code changes below rule is added in keystone/common/policies/user.py, but enforcement of this rule is removed with change-set [0] against user change_password API. As this rule is no longer used, it can be removed.

    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'change_password',
        check_str=base.RULE_ADMIN_OR_OWNER,
        description='Self-service password change.',
        operations=[{'path': '/v3/users/{user_id}/password',
                     'method': 'POST'}])

[0] https://github.com/openstack/keystone/commit/3ae73b67522bf388a0fdcecceb662831d853a313

Tags:

prashkre (prashkre) on 2017-07-20

summary:	- policy rule identity:change_password is not used with change_password - API + policy rule identity:change password is not enforced with API
summary:	- policy rule identity:change password is not enforced with API + policy rule identity:change password is no longer needed

Lance Bragstad (lbragstad) on 2017-07-20

tags:	added: low-hanging-fruit office-hours
Changed in keystone:
status:	New → Confirmed
status:	Confirmed → Triaged
importance:	Undecided → Low
milestone:	none → pike-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-20: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/485818

Changed in keystone:
assignee:	nobody → Lance Bragstad (lbragstad)
status:	Triaged → In Progress

OpenStack Infra (hudson-openstack) on 2017-07-25

Changed in keystone:
assignee:	Lance Bragstad (lbragstad) → Kristi Nikolla (knikolla)

Lance Bragstad (lbragstad) on 2017-07-25

Changed in keystone:
milestone:	pike-3 → pike-rc1

OpenStack Infra (hudson-openstack) on 2017-08-04

Changed in keystone:
assignee:	Kristi Nikolla (knikolla) → Lance Bragstad (lbragstad)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-04: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/485818
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=77bf1ad0b8991abb6c7ebba608fde27a3fd01c09
Submitter: Jenkins
Branch: master

commit 77bf1ad0b8991abb6c7ebba608fde27a3fd01c09
Author: Lance Bragstad <email address hidden>
Date: Thu Jul 20 20:45:42 2017 +0000

Remove policy for self-service password changes

The self-service password API was left intentionally
unprotected in a change during the stable/ocata cycle:

I4d3421c56642cfdbb25cb33b3aaaacbac4c64dd1

    The default policy was not removed from the same config and as a
    result it was migrated into code during the policy-in-code work.
    This isn't necessary since it's not used to protect anything. Policy
    should still be enforced on administrative password resets, but that
    is done using the `update_user` API.

Change-Id: I431f5ef9d6d5d689a06736640d22997fbddb869c
Closes-Bug: 1705485