Documentation and release notes for changing expired passwords

Change-Id: I723f45e7ffe1f61bed244642c49eba24dafd7427
Part of blueprint: allow-users-change-expired-password

doc/source/configuration/settings.rst

@@ -1183,6 +1183,19 @@ supported image formats.
 Keystone
 --------
 
+ALLOW_USERS_CHANGE_EXPIRED_PASSWORD
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. versionadded:: 16.0.0(Train)
+
+Default: ``True``
+
+When enabled, this setting lets users change their password after it has
+expired or when it is required to be changed on first use. Disabling it will
+force such users to either use the command line interface to change their
+password, or contact the system administrator.
+
+
 AUTHENTICATION_PLUGINS
 ~~~~~~~~~~~~~~~~~~~~~~
 

openstack_auth/defaults.py

@@ -72,6 +72,11 @@ SECURE_PROXY_ADDR_HEADER = False
 # contact an admin to change their password.
 PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS = -1
 
+# Horizon can prompt the user to change their password when it is expired
+# or required to be changed on first use. This is enabled by default, but
+# can be disabled if not desired.
+ALLOW_USERS_CHANGE_EXPIRED_PASSWORD = True
+
 OPENSTACK_KEYSTONE_ADMIN_ROLES = ['admin']
 OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = False
 # Set this to True if you want available domains displayed as a dropdown menu

releasenotes/notes/bp-allow-users-change-expired-password-19223784fdf5059b.yaml

@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Users can now change their password when it expires or is required to be
+    changed on the first use. A new setting ALLOW_USERS_CHANGE_EXPIRED_PASSWORD
+    has been added allowing administrators to disable that feature.