set user_update policy to admin_required

This changes the default policy.json to prevent users from changing their own attributes such as password, name, or default_project_id. Closes-Bug: 1237989 Change-Id: I7de5fff3d72a76b78113e289c57a9fac2096395f
2013-10-10 10:36:00 -05:00 · 2013-10-10 10:36:00 -05:00 · 8f9eb28085
parent 8ba9898f42
commit 8f9eb28085
2 changed files with 1 additions and 6 deletions
--- a/etc/policy.json
+++ b/etc/policy.json
@ -35,7 +35,7 @@
    "identity:get_user": [["rule:admin_required"]],
    "identity:list_users": [["rule:admin_required"]],
    "identity:create_user": [["rule:admin_required"]],
-    "identity:update_user": [["rule:admin_or_owner"]],
+    "identity:update_user": [["rule:admin_required"]],
    "identity:delete_user": [["rule:admin_required"]],

    "identity:get_group": [["rule:admin_required"]],
--- a/keystone/tests/test_v3_auth.py
+++ b/keystone/tests/test_v3_auth.py
@ -2220,14 +2220,9 @@ class TestTrustAuth(TestAuthInfo):
                 self.user_id, expected_status=200,
                 token=trust_token)

-        auth_data = self.build_authentication_request(
-            user_id=self.trustee_user['id'],
-            password=self.trustee_user['password'])
-
        self.assertValidUserResponse(
            self.patch('/users/%s' % self.trustee_user['id'],
                       body={'user': {'password': uuid.uuid4().hex}},
-                       auth=auth_data,
                       expected_status=200))

        self.get('/OS-TRUST/trusts?trustor_user_id=%s' %