77bf1ad0b8
The self-service password API was left intentionally unprotected in a change during the stable/ocata cycle: I4d3421c56642cfdbb25cb33b3aaaacbac4c64dd1 The default policy was not removed from the same config and as a result it was migrated into code during the policy-in-code work. This isn't necessary since it's not used to protect anything. Policy should still be enforced on administrative password resets, but that is done using the `update_user` API. Change-Id: I431f5ef9d6d5d689a06736640d22997fbddb869c Closes-Bug: 1705485
20 lines
985 B
YAML
20 lines
985 B
YAML
---
|
|
upgrade:
|
|
- |
|
|
[`bug 1705485 <https://bugs.launchpad.net/keystone/+bug/1705485>`_]
|
|
The `change_password` protection policy can be removed from file-based
|
|
policies. This policy is no longer used to protect the self-service
|
|
password change API since the logic was moved into code. Note that the
|
|
administrative password reset functionality is still protected via policy
|
|
on the `update_user` API.
|
|
fixes:
|
|
- |
|
|
[`bug 1705485 <https://bugs.launchpad.net/keystone/+bug/1705485>`_]
|
|
A `previous change <https://review.openstack.org/#/c/404022/>`_ removed
|
|
policy from the self-service password API. Since a user is required to
|
|
authenticate to change their password, protection via policy didn't
|
|
necessarily make sense. This change removes the default policy from code,
|
|
since it is no longer required or used by the service. Note that
|
|
administrative password resets for users are still protected via policy
|
|
through a separate endpoint.
|