From 77bf1ad0b8991abb6c7ebba608fde27a3fd01c09 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Thu, 20 Jul 2017 20:45:42 +0000 Subject: [PATCH] Remove policy for self-service password changes The self-service password API was left intentionally unprotected in a change during the stable/ocata cycle: I4d3421c56642cfdbb25cb33b3aaaacbac4c64dd1 The default policy was not removed from the same config and as a result it was migrated into code during the policy-in-code work. This isn't necessary since it's not used to protect anything. Policy should still be enforced on administrative password resets, but that is done using the `update_user` API. Change-Id: I431f5ef9d6d5d689a06736640d22997fbddb869c Closes-Bug: 1705485 --- doc/source/getting-started/policy_mapping.rst | 1 - etc/policy.v3cloudsample.json | 1 - keystone/common/policies/user.py | 8 +------- .../notes/bug-1705485-7a1ad17b9cc99b9d.yaml | 19 +++++++++++++++++++ 4 files changed, 20 insertions(+), 9 deletions(-) create mode 100644 releasenotes/notes/bug-1705485-7a1ad17b9cc99b9d.yaml diff --git a/doc/source/getting-started/policy_mapping.rst b/doc/source/getting-started/policy_mapping.rst index fd3a0dd1bb..e766f63a4a 100644 --- a/doc/source/getting-started/policy_mapping.rst +++ b/doc/source/getting-started/policy_mapping.rst @@ -43,7 +43,6 @@ identity:list_users GET /v3/users identity:create_user POST /v3/users identity:update_user PATCH /v3/users/{user_id} identity:delete_user DELETE /v3/users/{user_id} -identity:change_password POST /v3/users/{user_id}/password identity:get_group GET /v3/groups/{group_id} identity:list_groups GET /v3/groups diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json index e1731c004d..5dbcb7dbbe 100644 --- a/etc/policy.v3cloudsample.json +++ b/etc/policy.v3cloudsample.json @@ -128,7 +128,6 @@ "identity:update_policy": "rule:cloud_admin", "identity:delete_policy": "rule:cloud_admin", - "identity:change_password": "rule:owner", "identity:check_token": "rule:admin_or_owner", "identity:validate_token": "rule:service_admin_or_owner", "identity:validate_token_head": "rule:service_or_admin", diff --git a/keystone/common/policies/user.py b/keystone/common/policies/user.py index d3c0163f18..31891a404b 100644 --- a/keystone/common/policies/user.py +++ b/keystone/common/policies/user.py @@ -62,13 +62,7 @@ user_policies = [ check_str=base.RULE_ADMIN_REQUIRED, description='Delete a user.', operations=[{'path': '/v3/users/{user_id}', - 'method': 'DELETE'}]), - policy.DocumentedRuleDefault( - name=base.IDENTITY % 'change_password', - check_str=base.RULE_ADMIN_OR_OWNER, - description='Self-service password change.', - operations=[{'path': '/v3/users/{user_id}/password', - 'method': 'POST'}]) + 'method': 'DELETE'}]) ] diff --git a/releasenotes/notes/bug-1705485-7a1ad17b9cc99b9d.yaml b/releasenotes/notes/bug-1705485-7a1ad17b9cc99b9d.yaml new file mode 100644 index 0000000000..e0df798f3f --- /dev/null +++ b/releasenotes/notes/bug-1705485-7a1ad17b9cc99b9d.yaml @@ -0,0 +1,19 @@ +--- +upgrade: + - | + [`bug 1705485 `_] + The `change_password` protection policy can be removed from file-based + policies. This policy is no longer used to protect the self-service + password change API since the logic was moved into code. Note that the + administrative password reset functionality is still protected via policy + on the `update_user` API. +fixes: + - | + [`bug 1705485 `_] + A `previous change `_ removed + policy from the self-service password API. Since a user is required to + authenticate to change their password, protection via policy didn't + necessarily make sense. This change removes the default policy from code, + since it is no longer required or used by the service. Note that + administrative password resets for users are still protected via policy + through a separate endpoint.