OpenStack Identity (keystone)

Update own password

Registered by Dolph Mathews

Identity API v2.0 contains an explicit API resource that allows users to update their own password by simultaneously providing their current password as a confirmation.

The existing v3 user update method (PATCH /v3/users/{user_id}) is aimed at administrators and allows any attribute of a user to be immediately overridden. If a regular user is allowed access to this API and their token is compromised, the user account can be permanently compromised by simply overriding the existing password. To prevent this, v3 needs a new API targeted at end users which requires the existing password be provided along with the new password.

Blueprint information

Status:
Complete
Approver:
None
Priority:
High
Drafter:
None
Direction:
Needs approval
Assignee:
David Stanek
Definition:
New
Series goal:
Accepted for icehouse
Implementation:
Implemented
Milestone target:
milestone icon 2014.1
Started by
David Stanek
Completed by
Dolph Mathews

Related branches

Sprints

Whiteboard

Dolph,

It seem, this is one of the problem which I am trying to address through following BP, which is more generic in nature and better goes in policy framework.

https://blueprints.launchpad.net/keystone/+spec/attribute-access-privilege-based-on-role

Basically I am proposing a configurable framework to address such situation which help to reduce number of APIs and we can address such situations by single API.

Please take a look at my proposal?

<dolph> I've simplified the use case a bit to avoid conflicting with attribute-access-privilege-based-on-role

Gerrit topic: https://review.openstack.org/#q,topic:bp/v3-user-update-own-password,n,z

API doc: https://review.openstack.org/52448

Addressed by: https://review.openstack.org/52456
    Adds a resource for changing a user's password

(?)

Work Items

Nearby

This blueprint contains Public information 
Everyone can see this information.