Comment 2 for bug 1755874
Revision history for this message
| Vlastimil Mikes (v-mikes-z) wrote Re: Ability to block users from changing passwords is missing in Kesystone v3 | #2 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
7020100
(Get the code!)
the use case is as following:
“There is a customer which grants access to OpenStack via centralized authentication services. They employ so called ‘service users’ for authentication of automated toolchains only. These are Keystone user entries that are being created and destroyed on request by user action in a fully automated service portal.
These generated credentials adhere to company policy in regard to anonymity (username is random, can’t be connected to single person), traceability and isolation (generated for a single tenant inside OpenStack), and, for the lack of a better term, breakability (password strength by generating random 24 characters out of [a-zA-Z0-9], should never be changed without adhering to this password policy, better no end-user may change it, they can always re-create users).
Though the Horizon dashboard now is able to effectively block password change requests or can be configured, so that a password policy is enforced, the Identity API V3 employed by Keystone does have no means to effectively block password changes for non-admin users.”