I will split the keystone bug in a separate one but for the clients it's the same bug, right ?
** No longer affects: keystone ** Description changed: Problems: ======== - 1. In v2 the set_user_password controller method call update_user, - which mean that setting only 'identity:change_password' to 'rule:owner' - will not works unless 'identity:update_user' is also changed to - 'rule:owner' or similar. - 2. Both the keystoneclient and openstackclient do a GET /v./users/<uid> - before sending a PUT /users/<uid>/password which mean that to allow user - to change his password from command line, user should also be able to do - a get i.e. 'identity:get_user' should also be changed to 'rule:owner'. + 1. Both the keystoneclient and openstackclient do a GET /v./users/<uid> before sending a PUT /users/<uid>/password which mean that to allow user to change his password from command line, user should also be authz to do a get i.e. 'identity:get_user' policy rule should also be changed beside the 'identity:update_password'. - 3. The openstackclient v3 doesn't use + 2. The openstackclient v3 doesn't use identityclient.users.update_password for just updating the password instead it use the full user update, which will not work with just changing the 'identity:change_password'. - NOTE: Stating the obvious, I picked up 'rule:owner' as an example, which - is what make sense in our case, but the problem is not specific to this - rule + 3. keystoneclient v3 doesn't allow changing other users password even + though the API support it. -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1337245 Title: Changing user password is totally mishandled Status in Python client library for Keystone: Incomplete Status in OpenStack Command Line Client: Incomplete Bug description: Problems: ======== 1. Both the keystoneclient and openstackclient do a GET /v./users/<uid> before sending a PUT /users/<uid>/password which mean that to allow user to change his password from command line, user should also be authz to do a get i.e. 'identity:get_user' policy rule should also be changed beside the 'identity:update_password'. 2. The openstackclient v3 doesn't use identityclient.users.update_password for just updating the password instead it use the full user update, which will not work with just changing the 'identity:change_password'. 3. keystoneclient v3 doesn't allow changing other users password even though the API support it. To manage notifications about this bug go to: https://bugs.launchpad.net/python-keystoneclient/+bug/1337245/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
