From 3866991918beb818aa26aeab287a247f4732f6e7 Mon Sep 17 00:00:00 2001
From: Dolph Mathews <dolph.mathews@gmail.com>
Date: Thu, 10 Oct 2013 10:36:00 -0500
Subject: [PATCH] set user_update policy to admin_required

This changes the default policy.json to prevent users from changing
their own attributes such as password, name, or default_project_id.

Closes-Bug: 1237989
Change-Id: I7de5fff3d72a76b78113e289c57a9fac2096395f
---
 etc/policy.json                | 2 +-
 keystone/tests/test_v3_auth.py | 5 -----
 2 files changed, 1 insertion(+), 6 deletions(-)

diff --git a/etc/policy.json b/etc/policy.json
index 648d14e210..5ce86fa25c 100644
--- a/etc/policy.json
+++ b/etc/policy.json
@@ -35,7 +35,7 @@
     "identity:get_user": [["rule:admin_required"]],
     "identity:list_users": [["rule:admin_required"]],
     "identity:create_user": [["rule:admin_required"]],
-    "identity:update_user": [["rule:admin_or_owner"]],
+    "identity:update_user": [["rule:admin_required"]],
     "identity:delete_user": [["rule:admin_required"]],
 
     "identity:get_group": [["rule:admin_required"]],
diff --git a/keystone/tests/test_v3_auth.py b/keystone/tests/test_v3_auth.py
index b75f9fd023..33fa119e00 100644
--- a/keystone/tests/test_v3_auth.py
+++ b/keystone/tests/test_v3_auth.py
@@ -2220,14 +2220,9 @@ class TestTrustAuth(TestAuthInfo):
                  self.user_id, expected_status=200,
                  token=trust_token)
 
-        auth_data = self.build_authentication_request(
-            user_id=self.trustee_user['id'],
-            password=self.trustee_user['password'])
-
         self.assertValidUserResponse(
             self.patch('/users/%s' % self.trustee_user['id'],
                        body={'user': {'password': uuid.uuid4().hex}},
-                       auth=auth_data,
                        expected_status=200))
 
         self.get('/OS-TRUST/trusts?trustor_user_id=%s' %