python-openstackclient

Bug #1337245
Comment #0

Comment 0 for bug 1337245

Revision history for this message

mouadino (mouadino) wrote on 2014-07-03: Changing own password is totally mishandled

Problems:
========

1. There is a special RBAC entry for identity:change_password in v2 but no in the v3 default policy.json that come with the keystone repository.

2. In v2 the set_user_password controller method call update_user, which mean that setting only 'identity:change_password' to 'rule:owner' will not works unless 'identity:update_user' is also changed to 'rule:owner' or similar.

3. Both the keystoneclient and openstackclient do a GET /v./users/<uid> before sending a PUT /users/<uid>/password which mean that to allow user to change his password from command line, user should also be able to do a get i.e. 'identity:get_user' should also be changed to 'rule:owner'.

4. The openstackclient v3 doesn't use identityclient.users.update_password for just updating the password instead it use the full user update, which will not work with just changing the 'identity:change_password'.

NOTE: Stating the obvious, I picked up 'rule:owner' as an example, which is what make sense in our case, but the problem is not specific to this rule