policy rule identity:change password is no longer needed

Bug #1705485 reported by prashkre on 2017-07-20
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Low
Lance Bragstad

Bug Description

With policy in code changes below rule is added in keystone/common/policies/user.py, but enforcement of this rule is removed with change-set [0] against user change_password API. As this rule is no longer used, it can be removed.

    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'change_password',
        check_str=base.RULE_ADMIN_OR_OWNER,
        description='Self-service password change.',
        operations=[{'path': '/v3/users/{user_id}/password',
                     'method': 'POST'}])

[0] https://github.com/openstack/keystone/commit/3ae73b67522bf388a0fdcecceb662831d853a313

prashkre (prashkre) on 2017-07-20
summary: - policy rule identity:change_password is not used with change_password
- API
+ policy rule identity:change password is not enforced with API
summary: - policy rule identity:change password is not enforced with API
+ policy rule identity:change password is no longer needed
tags: added: low-hanging-fruit office-hours
Changed in keystone:
status: New → Confirmed
status: Confirmed → Triaged
importance: Undecided → Low
milestone: none → pike-3

Fix proposed to branch: master
Review: https://review.openstack.org/485818

Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Triaged → In Progress
Changed in keystone:
assignee: Lance Bragstad (lbragstad) → Kristi Nikolla (knikolla)
Changed in keystone:
milestone: pike-3 → pike-rc1
Changed in keystone:
assignee: Kristi Nikolla (knikolla) → Lance Bragstad (lbragstad)

Reviewed: https://review.openstack.org/485818
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=77bf1ad0b8991abb6c7ebba608fde27a3fd01c09
Submitter: Jenkins
Branch: master

commit 77bf1ad0b8991abb6c7ebba608fde27a3fd01c09
Author: Lance Bragstad <email address hidden>
Date: Thu Jul 20 20:45:42 2017 +0000

    Remove policy for self-service password changes

    The self-service password API was left intentionally
    unprotected in a change during the stable/ocata cycle:

      I4d3421c56642cfdbb25cb33b3aaaacbac4c64dd1

    The default policy was not removed from the same config and as a
    result it was migrated into code during the policy-in-code work.
    This isn't necessary since it's not used to protect anything. Policy
    should still be enforced on administrative password resets, but that
    is done using the `update_user` API.

    Change-Id: I431f5ef9d6d5d689a06736640d22997fbddb869c
    Closes-Bug: 1705485

Changed in keystone:
status: In Progress → Fix Released

This issue was fixed in the openstack/keystone 12.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers