Tenant user password change from horizon fails with Error: Unable to update the user password

Targeting stx.2019.03 until further investigation. If this is standard openstack behavior, we may choose not to change it.

Cindy, please assign this defect within your team to investigate whether or not this is standard OpenStack behavior.

issue also reproduce on multi-node system

Based on my quick investigation, a logged in tenant on Horizon when he/she tries to change his/her own password, Horizon currently uses a PATCH REST API call (you can see this in Horizon's and Keystone's logs). PATCH is identity's API for "update_user" and it is reserved for administrative users only. This is enforced by default identity policy. Unless there is other reason, Horizon should use POST for users other than admin to change the tenant's own password.

We are not sure if this is standard upstream behavior though. No matter it is or not, I think this is a bug. It's not reasonable for a tenant NOT be able to change their own passwords.

I'm rewording my comment a little bit to make it more clear ...

Based on my quick investigation, a logged in tenant user on Horizon when he/she tries to change his/her own password, Horizon currently uses a PATCH REST API call (you can see this in Horizon's and Keystone's logs). PATCH is identity's API for "update_user" and it is reserved for administrative users only (eg, when the admin user resets passwords for other tenant users). This is enforced by default identity policy. Unless there is other reason, Horizon should use POST for users (other than admin) to change their own password.

We are not sure if this is standard upstream behavior though. No matter it is or not, I think this is a bug (or an enhancement if it is not considered as a bug). It's not reasonable for a tenant user NOT be able to change his/her own password.

Andy, are you saying that in order to allow tenant user to change his own password from Horizon, we should not use PATCH REST API call (due to the fact that the call is reserved for admin usage only). Do you have any proposed API that allows tenant user to change his own password?

From feature behavior point of view, I agree that this is a bug and we should allow the tenant user to change his password from Horizon. I am changing the bug status to "confirmed".

Like I mentioned in my comment, Horizon could use POST for tenant user to change their passwords.

thanks Andy

I check /var/log/horizon.log, and find Horizon already use POST command to update password, but still fail. Upload log file.

2018-11-12 02:54:27,008 [INFO] horizon.operation_log: [admin 6ef10262a1904f32a9250962a8d8e24f] [tenant1 1ee21dc6c3ba4d1a864510106cb1d3ad] [POST /identity/users/1ee21dc6c3ba4d1a864510106cb1d3ad/change_password/ 200] parameters:[{"fake_email": "admin", "confirm_password": "********", "name": "tenant1", "fake_password": "********", "csrfmiddlewaretoken": "IpcGskKkjxv73AuCqFgA9bMSSlJlzKHb", "password": "********", "id": "1ee21dc6c3ba4d1a864510106cb1d3ad"}] message:[error: Unable to update the user password.]

I'm not very familiar with Horizon code. But when I log in Horizon as a tenant user, and try to change password, I saw the following in keystone log:

2018-10-12 21:04:17.800 88060 INFO keystone.common.wsgi [req-d3c4b20f-27db-41e1-bdc7-a159fa3d403a d14e155f04a243fe94d3964ee757a1eb 5b34c52d341c4128a8bb4e4aba01ed2f - default default] PATCH http://192.168.204.2:5000/v3/users/d14e155f04a243fe94d3964ee757a1eb
2018-10-12 21:04:17.846 88060 WARNING keystone.common.wsgi [req-d3c4b20f-27db-41e1-bdc7-a159fa3d403a d14e155f04a243fe94d3964ee757a1eb 5b34c52d341c4128a8bb4e4aba01ed2f - default default] You are not authorized to perform the requested action: identity:update_user.: ForbiddenAction: You are not authorized to perform the requested action: identity:update_user.

If it's confirmed that Horizon indeed uses POST for tenant user to change password, then it might be something else.

password could be updated by such command
[wrsroot@controller-0 log(keystone_admin)]$ openstack user set --password Pass@word1 tenant1

I used to set password succeed on Horizon, and also change password fail with python keyring set command.
Seems related with daemon status.

I already could update password in Horizon, password must contain at least 1 upper case, 1 lower case, 1 digit and 1 special character, otherwise fail.

I upload the snapshot in attachment, which change password successfully in Horizon

Uploaded password change is on admin which we know it is working.This bug is raised for tenant password change . Earlier comments says it has been reproduced. So please consider this bug is for tenant password change as per bug description.

I checked again, it works. Lo

Reproduce step:
1, login with "admin",
2, create user "tenanent"
     "Identity" -> "users" -> "Create User", in promote dialog, add "tenanent" and password
3, logout
4, login with username "tenanent"
5, change password
    "Identity" - > "users" -> "tenanent" colomn click pull down list -> select "Change password"

If the password pattern correct, horizon will automatically logout and use new password login succeed.

confirm issue reproduce on duplex and simplex. multi-node works fine. The above snapshot works on multi-node.
Should check stx-config for keystone

When you change the password what was the role for user tenanent.

In my case tenant1 role was member and project was tenant1. I think in your case the role is admin . Admin role have permission to change all level of passwords. member role doesn't have permission to change his own password.

already could login with newly created user. But should add project and domain for newly created user, then login succeed.
https://github.com/AJNOURI/COA/issues/35

This is my step with latest image deployed
1, deploy simplex, login horizon http://10.10.10.3:8080/
2, select "Identity" -> "user" --> "create user", input user name and password in dialog, and click OK
3, in console, input " openstack role add --project admin --user martin --user-domain"

[wrsroot@controller-0 ~(keystone_admin)]$ openstack project list --domain default
+----------------------------------+----------+
| ID | Name |
+----------------------------------+----------+
| dc4deb8a1ade4d50b244c600fafc464e | admin |
| f5c9d0d4baaa4aa6bd5991c349321c5a | services |
+----------------------------------+----------+
[wrsroot@controller-0 ~(keystone_admin)]$ openstack role add --project admin --user martin --user-domain default _member_
[wrsroot@controller-0 ~(keystone_admin)]$

4, login to horizon with newly created user "martin". login succeed.

login succeed with newly created user

Able to change tenant1 and tenant2 password from horizon on load 2019-06-13 20:20:00 .

login to horizon as tenant1 go to setting and change password.
http://128.224.151.216:31000/auth/login/