Browse Source

Remove policy for self-service password changes

The self-service password API was left intentionally
unprotected in a change during the stable/ocata cycle:

  I4d3421c56642cfdbb25cb33b3aaaacbac4c64dd1

The default policy was not removed from the same config and as a
result it was migrated into code during the policy-in-code work.
This isn't necessary since it's not used to protect anything. Policy
should still be enforced on administrative password resets, but that
is done using the `update_user` API.

Change-Id: I431f5ef9d6d5d689a06736640d22997fbddb869c
Closes-Bug: 1705485
changes/18/485818/7
Lance Bragstad 4 years ago
parent
commit
77bf1ad0b8
  1. 1
      doc/source/getting-started/policy_mapping.rst
  2. 1
      etc/policy.v3cloudsample.json
  3. 8
      keystone/common/policies/user.py
  4. 19
      releasenotes/notes/bug-1705485-7a1ad17b9cc99b9d.yaml

1
doc/source/getting-started/policy_mapping.rst

@ -43,7 +43,6 @@ identity:list_users GET /v3/users
identity:create_user POST /v3/users
identity:update_user PATCH /v3/users/{user_id}
identity:delete_user DELETE /v3/users/{user_id}
identity:change_password POST /v3/users/{user_id}/password
identity:get_group GET /v3/groups/{group_id}
identity:list_groups GET /v3/groups

1
etc/policy.v3cloudsample.json

@ -128,7 +128,6 @@
"identity:update_policy": "rule:cloud_admin",
"identity:delete_policy": "rule:cloud_admin",
"identity:change_password": "rule:owner",
"identity:check_token": "rule:admin_or_owner",
"identity:validate_token": "rule:service_admin_or_owner",
"identity:validate_token_head": "rule:service_or_admin",

8
keystone/common/policies/user.py

@ -62,13 +62,7 @@ user_policies = [
check_str=base.RULE_ADMIN_REQUIRED,
description='Delete a user.',
operations=[{'path': '/v3/users/{user_id}',
'method': 'DELETE'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'change_password',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Self-service password change.',
operations=[{'path': '/v3/users/{user_id}/password',
'method': 'POST'}])
'method': 'DELETE'}])
]

19
releasenotes/notes/bug-1705485-7a1ad17b9cc99b9d.yaml

@ -0,0 +1,19 @@
---
upgrade:
- |
[`bug 1705485 <https://bugs.launchpad.net/keystone/+bug/1705485>`_]
The `change_password` protection policy can be removed from file-based
policies. This policy is no longer used to protect the self-service
password change API since the logic was moved into code. Note that the
administrative password reset functionality is still protected via policy
on the `update_user` API.
fixes:
- |
[`bug 1705485 <https://bugs.launchpad.net/keystone/+bug/1705485>`_]
A `previous change <https://review.openstack.org/#/c/404022/>`_ removed
policy from the self-service password API. Since a user is required to
authenticate to change their password, protection via policy didn't
necessarily make sense. This change removes the default policy from code,
since it is no longer required or used by the service. Note that
administrative password resets for users are still protected via policy
through a separate endpoint.
Loading…
Cancel
Save