Merge "Remove policy for self-service password changes"

Jenkins · openstack-gerrit · commit 4e9862357137 · 2017-08-04T16:54:26.000Z
diff --git a/doc/source/getting-started/policy_mapping.rst b/doc/source/getting-started/policy_mapping.rst
@@ -43,7 +43,6 @@ identity:list_users                                        GET /v3/users
 identity:create_user                                       POST /v3/users
 identity:update_user                                       PATCH /v3/users/{user_id}
 identity:delete_user                                       DELETE /v3/users/{user_id}
-identity:change_password                                   POST /v3/users/{user_id}/password
 
 identity:get_group                                         GET /v3/groups/{group_id}
 identity:list_groups                                       GET /v3/groups
diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json
@@ -128,7 +128,6 @@
     "identity:update_policy": "rule:cloud_admin",
     "identity:delete_policy": "rule:cloud_admin",
 
-    "identity:change_password": "rule:owner",
     "identity:check_token": "rule:admin_or_owner",
     "identity:validate_token": "rule:service_admin_or_owner",
     "identity:validate_token_head": "rule:service_or_admin",
diff --git a/keystone/common/policies/user.py b/keystone/common/policies/user.py
@@ -62,13 +62,7 @@
         check_str=base.RULE_ADMIN_REQUIRED,
         description='Delete a user.',
         operations=[{'path': '/v3/users/{user_id}',
-                     'method': 'DELETE'}]),
-    policy.DocumentedRuleDefault(
-        name=base.IDENTITY % 'change_password',
-        check_str=base.RULE_ADMIN_OR_OWNER,
-        description='Self-service password change.',
-        operations=[{'path': '/v3/users/{user_id}/password',
-                     'method': 'POST'}])
+                     'method': 'DELETE'}])
 ]
 
 
diff --git a/releasenotes/notes/bug-1705485-7a1ad17b9cc99b9d.yaml b/releasenotes/notes/bug-1705485-7a1ad17b9cc99b9d.yaml
@@ -0,0 +1,19 @@
+---
+upgrade:
+  - |
+    [`bug 1705485 <https://bugs.launchpad.net/keystone/+bug/1705485>`_]
+    The `change_password` protection policy can be removed from file-based
+    policies. This policy is no longer used to protect the self-service
+    password change API since the logic was moved into code. Note that the
+    administrative password reset functionality is still protected via policy
+    on the `update_user` API.
+fixes:
+  - |
+    [`bug 1705485 <https://bugs.launchpad.net/keystone/+bug/1705485>`_]
+    A `previous change <https://review.openstack.org/#/c/404022/>`_ removed
+    policy from the self-service password API. Since a user is required to
+    authenticate to change their password, protection via policy didn't
+    necessarily make sense. This change removes the default policy from code,
+    since it is no longer required or used by the service. Note that
+    administrative password resets for users are still protected via policy
+    through a separate endpoint.
