1. There is a special RBAC entry for identity:change_password in v2 but no in the v3 default policy.json that come with the keystone repository.
2. In v2 the set_user_password controller method call update_user, which mean that setting only 'identity:change_password' to 'rule:owner' will not works unless 'identity:update_user' is also changed to 'rule:owner' or similar.
3. Both the keystoneclient and openstackclient do a GET /v./users/<uid> before sending a PUT /users/<uid>/password which mean that to allow user to change his password from command line, user should also be able to do a get i.e. 'identity:get_user' should also be changed to 'rule:owner'.
4. The openstackclient v3 doesn't use identityclient.users.update_password for just updating the password instead it use the full user update, which will not work with just changing the 'identity:change_password'.
NOTE: Stating the obvious, I picked up 'rule:owner' as an example, which is what make sense in our case, but the problem is not specific to this rule
Problems:
========
1. There is a special RBAC entry for identity: change_ password in v2 but no in the v3 default policy.json that come with the keystone repository.
2. In v2 the set_user_password controller method call update_user, which mean that setting only 'identity: change_ password' to 'rule:owner' will not works unless 'identity: update_ user' is also changed to 'rule:owner' or similar.
3. Both the keystoneclient and openstackclient do a GET /v./users/<uid> before sending a PUT /users/ <uid>/password which mean that to allow user to change his password from command line, user should also be able to do a get i.e. 'identity:get_user' should also be changed to 'rule:owner'.
4. The openstackclient v3 doesn't use identityclient. users.update_ password for just updating the password instead it use the full user update, which will not work with just changing the 'identity: change_ password' .
NOTE: Stating the obvious, I picked up 'rule:owner' as an example, which is what make sense in our case, but the problem is not specific to this rule