set user_update policy to admin_required

This changes the default policy.json to prevent users from changing their own attributes such as password, name, or default_project_id. Closes-Bug: 1237989 Change-Id: I7de5fff3d72a76b78113e289c57a9fac2096395f
openstack · Oct 10, 2013 · 3866991 · 3866991
1 parent c14ebd6
commit 3866991
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 6 deletions.
diff --git a/etc/policy.json b/etc/policy.json
@@ -35,7 +35,7 @@
     "identity:get_user": [["rule:admin_required"]],
     "identity:list_users": [["rule:admin_required"]],
     "identity:create_user": [["rule:admin_required"]],
-    "identity:update_user": [["rule:admin_or_owner"]],
+    "identity:update_user": [["rule:admin_required"]],
     "identity:delete_user": [["rule:admin_required"]],
 
     "identity:get_group": [["rule:admin_required"]],

diff --git a/keystone/tests/test_v3_auth.py b/keystone/tests/test_v3_auth.py
@@ -2220,14 +2220,9 @@ def test_change_password_invalidates_trust_tokens(self):
                  self.user_id, expected_status=200,
                  token=trust_token)
 
-        auth_data = self.build_authentication_request(
-            user_id=self.trustee_user['id'],
-            password=self.trustee_user['password'])
-
         self.assertValidUserResponse(
             self.patch('/users/%s' % self.trustee_user['id'],
                        body={'user': {'password': uuid.uuid4().hex}},
-                       auth=auth_data,
                        expected_status=200))
 
         self.get('/OS-TRUST/trusts?trustor_user_id=%s' %