2014-07-03 09:42:19 |
mouadino |
bug |
|
|
added bug |
2014-07-03 09:42:47 |
mouadino |
bug task added |
|
python-openstackclient |
|
2014-07-03 09:43:06 |
mouadino |
bug task added |
|
python-keystoneclient |
|
2014-07-03 09:43:26 |
mouadino |
summary |
Changing own password is totally mishandled |
Changing user password is totally mishandled |
|
2014-07-03 09:49:36 |
mouadino |
keystone: assignee |
|
mouadino (mouadino) |
|
2014-07-03 09:49:39 |
mouadino |
python-keystoneclient: assignee |
|
mouadino (mouadino) |
|
2014-07-03 09:49:42 |
mouadino |
python-openstackclient: assignee |
|
mouadino (mouadino) |
|
2014-07-03 12:53:08 |
mouadino |
description |
Problems:
========
1. There is a special RBAC entry for identity:change_password in v2 but no in the v3 default policy.json that come with the keystone repository.
2. In v2 the set_user_password controller method call update_user, which mean that setting only 'identity:change_password' to 'rule:owner' will not works unless 'identity:update_user' is also changed to 'rule:owner' or similar.
3. Both the keystoneclient and openstackclient do a GET /v./users/<uid> before sending a PUT /users/<uid>/password which mean that to allow user to change his password from command line, user should also be able to do a get i.e. 'identity:get_user' should also be changed to 'rule:owner'.
4. The openstackclient v3 doesn't use identityclient.users.update_password for just updating the password instead it use the full user update, which will not work with just changing the 'identity:change_password'.
NOTE: Stating the obvious, I picked up 'rule:owner' as an example, which is what make sense in our case, but the problem is not specific to this rule |
Problems:
========
1. In v2 the set_user_password controller method call update_user, which mean that setting only 'identity:change_password' to 'rule:owner' will not works unless 'identity:update_user' is also changed to 'rule:owner' or similar.
2. Both the keystoneclient and openstackclient do a GET /v./users/<uid> before sending a PUT /users/<uid>/password which mean that to allow user to change his password from command line, user should also be able to do a get i.e. 'identity:get_user' should also be changed to 'rule:owner'.
3. The openstackclient v3 doesn't use identityclient.users.update_password for just updating the password instead it use the full user update, which will not work with just changing the 'identity:change_password'.
NOTE: Stating the obvious, I picked up 'rule:owner' as an example, which is what make sense in our case, but the problem is not specific to this rule |
|
2014-07-03 19:08:55 |
Dolph Mathews |
keystone: status |
New |
Incomplete |
|
2014-07-03 19:08:57 |
Dolph Mathews |
python-keystoneclient: status |
New |
Incomplete |
|
2014-07-03 19:08:59 |
Dolph Mathews |
python-openstackclient: status |
New |
Incomplete |
|
2014-07-04 09:19:17 |
mouadino |
bug task deleted |
keystone |
|
|
2014-07-04 09:22:03 |
mouadino |
description |
Problems:
========
1. In v2 the set_user_password controller method call update_user, which mean that setting only 'identity:change_password' to 'rule:owner' will not works unless 'identity:update_user' is also changed to 'rule:owner' or similar.
2. Both the keystoneclient and openstackclient do a GET /v./users/<uid> before sending a PUT /users/<uid>/password which mean that to allow user to change his password from command line, user should also be able to do a get i.e. 'identity:get_user' should also be changed to 'rule:owner'.
3. The openstackclient v3 doesn't use identityclient.users.update_password for just updating the password instead it use the full user update, which will not work with just changing the 'identity:change_password'.
NOTE: Stating the obvious, I picked up 'rule:owner' as an example, which is what make sense in our case, but the problem is not specific to this rule |
Problems:
========
1. Both the keystoneclient and openstackclient do a GET /v./users/<uid> before sending a PUT /users/<uid>/password which mean that to allow user to change his password from command line, user should also be authz to do a get i.e. 'identity:get_user' policy rule should also be changed beside the 'identity:update_password'.
2. The openstackclient v3 doesn't use identityclient.users.update_password for just updating the password instead it use the full user update, which will not work with just changing the 'identity:change_password'.
3. keystoneclient v3 doesn't allow changing other users password even though the API support it. |
|
2014-07-10 11:18:30 |
mouadino |
summary |
Changing user password is totally mishandled |
Add changing curent user password |
|
2014-07-10 11:18:36 |
mouadino |
bug task deleted |
python-keystoneclient |
|
|
2014-07-10 11:20:36 |
mouadino |
description |
Problems:
========
1. Both the keystoneclient and openstackclient do a GET /v./users/<uid> before sending a PUT /users/<uid>/password which mean that to allow user to change his password from command line, user should also be authz to do a get i.e. 'identity:get_user' policy rule should also be changed beside the 'identity:update_password'.
2. The openstackclient v3 doesn't use identityclient.users.update_password for just updating the password instead it use the full user update, which will not work with just changing the 'identity:change_password'.
3. keystoneclient v3 doesn't allow changing other users password even though the API support it. |
Problems:
========
Right now there is no way for a user to change his own password, only a full user update is given, which will work only with admin right ! keystone v3 allow the change of current user password https://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3.md#change-user-password-post-usersuser_idpassword which is affected by the policy rule 'identity:change_password' which default to "rule:owner". |
|
2014-07-10 11:27:26 |
mouadino |
summary |
Add changing curent user password |
Add changing current user password |
|
2014-07-10 11:27:43 |
OpenStack Infra |
python-openstackclient: status |
Incomplete |
In Progress |
|
2014-09-02 07:37:43 |
Dr. Jens Harbott |
bug |
|
|
added subscriber Dr. Jens Rosenboom |
2014-09-06 04:52:21 |
Dean Troyer |
python-openstackclient: milestone |
|
m5 |
|
2014-09-06 04:52:38 |
Dean Troyer |
python-openstackclient: importance |
Undecided |
Medium |
|
2014-09-07 15:12:21 |
OpenStack Infra |
python-openstackclient: status |
In Progress |
Fix Committed |
|
2014-09-09 05:11:42 |
Dean Troyer |
python-openstackclient: status |
Fix Committed |
Fix Released |
|