)]}'
{"specs/ussuri/approved/allow-specify-user-to-reset-password.rst":[{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"35c3678864480d4f54599fb77c070bb73219a9ac","unresolved":false,"context_lines":[{"line_number":16,"context_line":"Problem description"},{"line_number":17,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":18,"context_line":"Currently, the Linux operating system supports the root user to reset it\u0027s"},{"line_number":19,"context_line":"own password, and the window operating system supports the administrator to"},{"line_number":20,"context_line":"reset it\u0027s own password, but they are cannot reset the normal user\u0027s password."},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"In fact, a server has more than one user (contains root or administrator) in"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_1fa6b8c1","line":19,"range":{"start_line":19,"start_character":22,"end_line":19,"end_character":28},"updated":"2019-10-29 16:06:57.000000000","message":"windows?","commit_id":"817dfb6d2d5a8eefde8df145b83529d14dae8fce"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"35c3678864480d4f54599fb77c070bb73219a9ac","unresolved":false,"context_lines":[{"line_number":23,"context_line":"the production environment. Sometimes, because the user does not log in for"},{"line_number":24,"context_line":"a long time, the password is forgotten. Or the current user leaves, need to"},{"line_number":25,"context_line":"reset user password."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"Use Cases"},{"line_number":28,"context_line":"---------"},{"line_number":29,"context_line":"As an administrator, I would like to specify the existing user of the server"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_58052679","line":26,"updated":"2019-10-29 16:06:57.000000000","message":"I think something is missing from the problem description. How this problem is the problem of OpenStack Nova. I think in the first sentence you need to talk about what OpenStack allows and not allows but is should","commit_id":"817dfb6d2d5a8eefde8df145b83529d14dae8fce"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"9d24f1cdafc2e11135febde4a83e041952f14310","unresolved":false,"context_lines":[{"line_number":23,"context_line":"the production environment. Sometimes, because the user does not log in for"},{"line_number":24,"context_line":"a long time, the password is forgotten. Or the current user leaves, need to"},{"line_number":25,"context_line":"reset user password."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"Use Cases"},{"line_number":28,"context_line":"---------"},{"line_number":29,"context_line":"As an administrator, I would like to specify the existing user of the server"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_363867d1","line":26,"in_reply_to":"3fa7e38b_008ac562","updated":"2019-10-30 15:27:50.000000000","message":"\u003e Sure, but why does nova need to be the vehicle to do this? Couldn\u0027t\n\n+1000\n\nAlso I think this is relevant here https://docs.openstack.org/nova/latest/contributor/project-scope.html#no-more-orchestration","commit_id":"817dfb6d2d5a8eefde8df145b83529d14dae8fce"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"9f4589308e9e1f39fc83abbb9214df4dfb23a6e2","unresolved":false,"context_lines":[{"line_number":23,"context_line":"the production environment. Sometimes, because the user does not log in for"},{"line_number":24,"context_line":"a long time, the password is forgotten. Or the current user leaves, need to"},{"line_number":25,"context_line":"reset user password."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"Use Cases"},{"line_number":28,"context_line":"---------"},{"line_number":29,"context_line":"As an administrator, I would like to specify the existing user of the server"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_e3e20901","line":26,"in_reply_to":"3fa7e38b_008ac562","updated":"2019-10-31 07:18:59.000000000","message":"Yeah, we have tried to solve this problem in the above way, but our customers are not satisfied with this solution. When the nova was deployed in the customer\u0027s environment, it should be convenient and friendly to the customers. \n\n \u003e I realize it would be convenient to just have nova do this since the framework is already in place\n\nThis is why we chose to implement this solution through nova and provide it to our customers through our dashboard. Our customers are quite satisfied with this.","commit_id":"817dfb6d2d5a8eefde8df145b83529d14dae8fce"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"d450baf0f6b8701955350ea1ccb0cae5f999dce8","unresolved":false,"context_lines":[{"line_number":23,"context_line":"the production environment. Sometimes, because the user does not log in for"},{"line_number":24,"context_line":"a long time, the password is forgotten. Or the current user leaves, need to"},{"line_number":25,"context_line":"reset user password."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"Use Cases"},{"line_number":28,"context_line":"---------"},{"line_number":29,"context_line":"As an administrator, I would like to specify the existing user of the server"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_b3547b23","line":26,"in_reply_to":"3fa7e38b_58052679","updated":"2019-10-29 17:14:19.000000000","message":"When I first opened this I was going to say the same thing, why does nova need to support or care about this? That\u0027s why I mentioned it in the alternatives section below. I then got to reading the original spec for this API:\n\nhttps://specs.openstack.org/openstack/nova-specs/specs/liberty/implemented/libvirt-set-admin-password.html\n\nAnd it\u0027s a bit of a slippery slope now because the argument could have been made then, why does nova need to care about this? And the alternative there says the same:\n\nhttps://specs.openstack.org/openstack/nova-specs/specs/liberty/implemented/libvirt-set-admin-password.html#alternatives\n\ne.g. \"for an admin to bulk change the passwords across all their running guests, without having to login to the console of each guest manually/individually.\"\n\nI\u0027m not really sold on expanding the use case for the changePassword API though since it\u0027s very heavily documented (in docs, code and CLI) that the API is for resetting the admin password and not random users within the guest. Adding this would be a total convenience that only the libvirt driver would implement (the only other driver that implements this API is the xenapi driver and that is deprecated).","commit_id":"817dfb6d2d5a8eefde8df145b83529d14dae8fce"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"e724b0225f1015fa000314ac37c48e4cc6a64094","unresolved":false,"context_lines":[{"line_number":23,"context_line":"the production environment. Sometimes, because the user does not log in for"},{"line_number":24,"context_line":"a long time, the password is forgotten. Or the current user leaves, need to"},{"line_number":25,"context_line":"reset user password."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"Use Cases"},{"line_number":28,"context_line":"---------"},{"line_number":29,"context_line":"As an administrator, I would like to specify the existing user of the server"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_96835b56","line":26,"in_reply_to":"3fa7e38b_857ec767","updated":"2019-10-30 15:29:59.000000000","message":"\u003e In our existing customer environment, an administrator will issue\n \u003e 500 VMs, or even more. For product security, users are not expected\n \u003e to know the admin/administrator password. Therefore, when non-admin\n \u003e forgets the password, it can directly Resetting your password\n \u003e yourself is a good choice. If all of this work is done by an\n \u003e administrator, it is conceivable that the administrator will be\n \u003e mad.\n\nIf in this environment your admin needs to reconfigure or patch the software running in those 500 guests. How do you do that today?","commit_id":"817dfb6d2d5a8eefde8df145b83529d14dae8fce"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"85d4c8d508133b7c1443fc85c70bbef67b907916","unresolved":false,"context_lines":[{"line_number":23,"context_line":"the production environment. Sometimes, because the user does not log in for"},{"line_number":24,"context_line":"a long time, the password is forgotten. Or the current user leaves, need to"},{"line_number":25,"context_line":"reset user password."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"Use Cases"},{"line_number":28,"context_line":"---------"},{"line_number":29,"context_line":"As an administrator, I would like to specify the existing user of the server"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_008ac562","line":26,"in_reply_to":"3fa7e38b_857ec767","updated":"2019-10-30 14:22:35.000000000","message":"\u003e In our existing customer environment, an administrator will issue\n \u003e 500 VMs, or even more. For product security, users are not expected\n \u003e to know the admin/administrator password. Therefore, when non-admin\n \u003e forgets the password, it can directly Resetting your password\n \u003e yourself is a good choice. If all of this work is done by an\n \u003e administrator, it is conceivable that the administrator will be\n \u003e mad.\n\nSure, but why does nova need to be the vehicle to do this? Couldn\u0027t you have a tool/portal (that\u0027s not nova) which takes the user password reset change request and ssh\u0027s into the guest and does that directly? Or just runs a virsh command on the compute host or if one doesn\u0027t exist you could write a python script that connects to libvirt and call setUserPassword on the domain object for the guest.\n\nI realize it would be convenient to just have nova do this since the framework is already in place, I just don\u0027t think it really fits with the project, but I don\u0027t feel that strongly that I\u0027m -1 on it.","commit_id":"817dfb6d2d5a8eefde8df145b83529d14dae8fce"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"bda90b9d5be6a440c400efbaba58246cf778095d","unresolved":false,"context_lines":[{"line_number":23,"context_line":"the production environment. Sometimes, because the user does not log in for"},{"line_number":24,"context_line":"a long time, the password is forgotten. Or the current user leaves, need to"},{"line_number":25,"context_line":"reset user password."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"Use Cases"},{"line_number":28,"context_line":"---------"},{"line_number":29,"context_line":"As an administrator, I would like to specify the existing user of the server"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_4363dd42","line":26,"in_reply_to":"3fa7e38b_96835b56","updated":"2019-10-31 08:29:39.000000000","message":"\u003e If in this environment your admin needs to reconfigure or patch the software running in those 500 guests. How do you do that today?\n\nWe update the changePassword Action API, and allow the admin or owner to request his/her username and new password to reset its password. As your suggestion, I realize do this in a single API is better, I think it is necessary to make changes.","commit_id":"817dfb6d2d5a8eefde8df145b83529d14dae8fce"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"84e44b4f9338a99f772aa085feede9062ad5eebe","unresolved":false,"context_lines":[{"line_number":23,"context_line":"the production environment. Sometimes, because the user does not log in for"},{"line_number":24,"context_line":"a long time, the password is forgotten. Or the current user leaves, need to"},{"line_number":25,"context_line":"reset user password."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"Use Cases"},{"line_number":28,"context_line":"---------"},{"line_number":29,"context_line":"As an administrator, I would like to specify the existing user of the server"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_3f5fe541","line":26,"in_reply_to":"3fa7e38b_b3547b23","updated":"2019-10-30 08:39:25.000000000","message":"I agree that we opened pandora\u0027s box with the liberty feature but I would like to draw the line here.\n\nIf there is push to add more automation to nova (which I disagree with) then instead of adding each automation use case one by one with a separate API why don\u0027t we add a single Nova API like \"run this script in my guest\". Then the problem would be solved for ever.","commit_id":"817dfb6d2d5a8eefde8df145b83529d14dae8fce"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"5271404526377b83695e1593082c668565bca5c0","unresolved":false,"context_lines":[{"line_number":23,"context_line":"the production environment. Sometimes, because the user does not log in for"},{"line_number":24,"context_line":"a long time, the password is forgotten. Or the current user leaves, need to"},{"line_number":25,"context_line":"reset user password."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"Use Cases"},{"line_number":28,"context_line":"---------"},{"line_number":29,"context_line":"As an administrator, I would like to specify the existing user of the server"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_857ec767","line":26,"in_reply_to":"3fa7e38b_b3547b23","updated":"2019-10-30 13:31:14.000000000","message":"In our existing customer environment, an administrator will issue 500 VMs, or even more. For product security, users are not expected to know the admin/administrator password. Therefore, when non-admin forgets the password, it can directly Resetting your password yourself is a good choice. If all of this work is done by an administrator, it is conceivable that the administrator will be mad.","commit_id":"817dfb6d2d5a8eefde8df145b83529d14dae8fce"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"35c3678864480d4f54599fb77c070bb73219a9ac","unresolved":false,"context_lines":[{"line_number":26,"context_line":""},{"line_number":27,"context_line":"Use Cases"},{"line_number":28,"context_line":"---------"},{"line_number":29,"context_line":"As an administrator, I would like to specify the existing user of the server"},{"line_number":30,"context_line":"to reset its password."},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Proposed change"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_d8f8367d","line":29,"range":{"start_line":29,"start_character":37,"end_line":29,"end_character":44},"updated":"2019-10-29 16:06:57.000000000","message":"allow?","commit_id":"817dfb6d2d5a8eefde8df145b83529d14dae8fce"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"35c3678864480d4f54599fb77c070bb73219a9ac","unresolved":false,"context_lines":[{"line_number":28,"context_line":"---------"},{"line_number":29,"context_line":"As an administrator, I would like to specify the existing user of the server"},{"line_number":30,"context_line":"to reset its password."},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Proposed change"},{"line_number":33,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":34,"context_line":"Add a new microversion to the the changePassword Action API."}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_78cb421d","line":31,"updated":"2019-10-29 16:06:57.000000000","message":"I don\u0027t think this is a feature that nova needs to support. The administrator can log in to the guest and can change the password of other users in the guest.","commit_id":"817dfb6d2d5a8eefde8df145b83529d14dae8fce"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"9d45c0d7c595c4dc805b91bbe23a4447ff61f21d","unresolved":false,"context_lines":[{"line_number":45,"context_line":""},{"line_number":46,"context_line":"Alternatives"},{"line_number":47,"context_line":"------------"},{"line_number":48,"context_line":"None"},{"line_number":49,"context_line":""},{"line_number":50,"context_line":"Data model impact"},{"line_number":51,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_82ed6f26","line":48,"updated":"2019-10-29 13:53:05.000000000","message":"Obviously the alternative is the admin or owner of the VM logs into it and changes the target user\u0027s password.","commit_id":"817dfb6d2d5a8eefde8df145b83529d14dae8fce"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"a8d4dc960dbdd77ace7803e5be28b496de665d78","unresolved":false,"context_lines":[{"line_number":76,"context_line":"    \"changeUserPassword\": {"},{"line_number":77,"context_line":"          \"user_name\": \"foo_name\","},{"line_number":78,"context_line":"          \"user_passwd\": \"foo_passwd\""},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"    }"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"  }"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fa7e38b_41139566","line":79,"updated":"2019-12-16 02:40:09.000000000","message":"I may pick some detail here, like both adminPass and user_name and user_passwd specified. But it is fine. Probably we can support both.","commit_id":"94af7089864b1351406ce081af95506dd6e53610"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"022395a0d64a201422b1b39aab9e7c7bc9b68b88","unresolved":false,"context_lines":[{"line_number":76,"context_line":"    \"changeUserPassword\": {"},{"line_number":77,"context_line":"          \"user_name\": \"foo_name\","},{"line_number":78,"context_line":"          \"user_passwd\": \"foo_passwd\""},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"    }"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"  }"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fa7e38b_849afbc1","line":79,"in_reply_to":"3fa7e38b_41139566","updated":"2019-12-16 03:05:18.000000000","message":"This will add a new compute api to change the user\u0027s password, of course, if you want to change the admin user\u0027s password, it can be allowed.","commit_id":"94af7089864b1351406ce081af95506dd6e53610"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"a8d4dc960dbdd77ace7803e5be28b496de665d78","unresolved":false,"context_lines":[{"line_number":122,"context_line":"Upgrade impact"},{"line_number":123,"context_line":"--------------"},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"None"},{"line_number":126,"context_line":""},{"line_number":127,"context_line":"Implementation"},{"line_number":128,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fa7e38b_a101290a","line":125,"updated":"2019-12-16 02:40:09.000000000","message":"you also need to change the rpc api, to pass those username and password down to compute node.","commit_id":"94af7089864b1351406ce081af95506dd6e53610"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"022395a0d64a201422b1b39aab9e7c7bc9b68b88","unresolved":false,"context_lines":[{"line_number":122,"context_line":"Upgrade impact"},{"line_number":123,"context_line":"--------------"},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"None"},{"line_number":126,"context_line":""},{"line_number":127,"context_line":"Implementation"},{"line_number":128,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fa7e38b_44a40308","line":125,"in_reply_to":"3fa7e38b_a101290a","updated":"2019-12-16 03:05:18.000000000","message":"Yes, it\u0027s shuold be declared.","commit_id":"94af7089864b1351406ce081af95506dd6e53610"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"634e47061928395933b0b8013a59cdc5e46e522c","unresolved":false,"context_lines":[{"line_number":10,"context_line":""},{"line_number":11,"context_line":"https://blueprints.launchpad.net/nova/+spec/allow-specify-user-to-reset-password"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"The blueprint proposes to allow the QEMU/KVM users to reset their password"},{"line_number":14,"context_line":"by the libvirt API of set-user-password provided with version 1.2.16."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"Problem description"},{"line_number":17,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_01ce125a","line":14,"range":{"start_line":13,"start_character":0,"end_line":14,"end_character":69},"updated":"2020-01-10 12:41:49.000000000","message":"this requires the guest to be deployed with the qemu guest agent correct. with out the guest agent i dont think libvirt can reset the password.","commit_id":"a5199d0955d55a52f840b176f6a993c930f34566"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"079dd276626429149a16c62ff8c8ec3cbe03463d","unresolved":false,"context_lines":[{"line_number":10,"context_line":""},{"line_number":11,"context_line":"https://blueprints.launchpad.net/nova/+spec/allow-specify-user-to-reset-password"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"The blueprint proposes to allow the QEMU/KVM users to reset their password"},{"line_number":14,"context_line":"by the libvirt API of set-user-password provided with version 1.2.16."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"Problem description"},{"line_number":17,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_fe8a611c","line":14,"range":{"start_line":13,"start_character":0,"end_line":14,"end_character":69},"in_reply_to":"3fa7e38b_01ce125a","updated":"2020-01-13 07:53:39.000000000","message":"Yes, this requires the guest has been deployed with the qumu guest agent.","commit_id":"a5199d0955d55a52f840b176f6a993c930f34566"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"634e47061928395933b0b8013a59cdc5e46e522c","unresolved":false,"context_lines":[{"line_number":21,"context_line":"active."},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"In many customer scenarios, an administrator manages a large number of"},{"line_number":24,"context_line":"servers. Sometimes, users often forget passwords. In order to re-gain"},{"line_number":25,"context_line":"control over an already running guest for which they have lost the password,"},{"line_number":26,"context_line":"the user has to ask the administrator to reset the password. This will"},{"line_number":27,"context_line":"undoubtedly be the administrator or the operation and maintenance engineer"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_a18ffe1f","line":24,"range":{"start_line":24,"start_character":9,"end_line":24,"end_character":48},"updated":"2020-01-10 12:41:49.000000000","message":"unfrotunetly yes although they should really be using ssh keys or x509 certs for powershell on windows.","commit_id":"a5199d0955d55a52f840b176f6a993c930f34566"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"bc0822b7afde08811bf501aee189c4a353647fc8","unresolved":false,"context_lines":[{"line_number":21,"context_line":"active."},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"In many customer scenarios, an administrator manages a large number of"},{"line_number":24,"context_line":"servers. Sometimes, users often forget passwords. In order to re-gain"},{"line_number":25,"context_line":"control over an already running guest for which they have lost the password,"},{"line_number":26,"context_line":"the user has to ask the administrator to reset the password. This will"},{"line_number":27,"context_line":"undoubtedly be the administrator or the operation and maintenance engineer"},{"line_number":28,"context_line":"brings a lot of unnecessary troubles."},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"Use Cases"},{"line_number":31,"context_line":"---------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_aeb03843","line":28,"range":{"start_line":24,"start_character":50,"end_line":28,"end_character":37},"updated":"2020-01-30 13:15:31.000000000","message":"This operation is controlled with policy which is admin or owner by default. So owner of project can still change the password (owner will be decided by project not user).\n\n\u0027os_compute_api:os-admin-password\u0027","commit_id":"a5199d0955d55a52f840b176f6a993c930f34566"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"634e47061928395933b0b8013a59cdc5e46e522c","unresolved":false,"context_lines":[{"line_number":30,"context_line":"Use Cases"},{"line_number":31,"context_line":"---------"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"As an administrator, I would like to allow the existing user of the server"},{"line_number":34,"context_line":"to reset its password."},{"line_number":35,"context_line":"As a user (non-admin), I would like to re-gain control over a running guest"},{"line_number":36,"context_line":"when I lost the password by myself."},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"Proposed change"},{"line_number":39,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_81b522d2","line":36,"range":{"start_line":33,"start_character":0,"end_line":36,"end_character":35},"updated":"2020-01-10 12:41:49.000000000","message":"vms are owned by the project so if we did this it would allow any memeber of a project to reset the password of any vm in the project. is that what we want? the most comment case other then forget the password where this would come up is an employee leave but they did nto transfer the vm to another and reset the password before they left.","commit_id":"a5199d0955d55a52f840b176f6a993c930f34566"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"6b670809debe804ad684899cb3f91cbd2fd8dc08","unresolved":false,"context_lines":[{"line_number":30,"context_line":"Use Cases"},{"line_number":31,"context_line":"---------"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"As an administrator, I would like to allow the existing user of the server"},{"line_number":34,"context_line":"to reset its password."},{"line_number":35,"context_line":"As a user (non-admin), I would like to re-gain control over a running guest"},{"line_number":36,"context_line":"when I lost the password by myself."},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"Proposed change"},{"line_number":39,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_506a79ec","line":36,"range":{"start_line":33,"start_character":0,"end_line":36,"end_character":35},"in_reply_to":"3fa7e38b_30f81d7d","updated":"2020-01-30 19:12:42.000000000","message":"that would reduce the security risk but if the vm is shared by multile user this still does not protect them form the user that created the vm changing there passwords on the vm.\n\ni really dont think this is something that should be in the scope of nova to manage.","commit_id":"a5199d0955d55a52f840b176f6a993c930f34566"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"6b98798f34b361656b1345172656b3c508517078","unresolved":false,"context_lines":[{"line_number":30,"context_line":"Use Cases"},{"line_number":31,"context_line":"---------"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"As an administrator, I would like to allow the existing user of the server"},{"line_number":34,"context_line":"to reset its password."},{"line_number":35,"context_line":"As a user (non-admin), I would like to re-gain control over a running guest"},{"line_number":36,"context_line":"when I lost the password by myself."},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"Proposed change"},{"line_number":39,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_eacff151","line":36,"range":{"start_line":33,"start_character":0,"end_line":36,"end_character":35},"in_reply_to":"3fa7e38b_506a79ec","updated":"2020-01-31 01:13:19.000000000","message":"emm...without this feature, the user in the same project can use rescue mode to change the passwd file in the original root.  But yes, the VM is down in that moment.\n\nIt only guarantees a live VM can\u0027t change the password.\n\nI just think the per user VM model isn\u0027t we support today.","commit_id":"a5199d0955d55a52f840b176f6a993c930f34566"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"bc0822b7afde08811bf501aee189c4a353647fc8","unresolved":false,"context_lines":[{"line_number":30,"context_line":"Use Cases"},{"line_number":31,"context_line":"---------"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"As an administrator, I would like to allow the existing user of the server"},{"line_number":34,"context_line":"to reset its password."},{"line_number":35,"context_line":"As a user (non-admin), I would like to re-gain control over a running guest"},{"line_number":36,"context_line":"when I lost the password by myself."},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"Proposed change"},{"line_number":39,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_eed4f04e","line":36,"range":{"start_line":33,"start_character":0,"end_line":36,"end_character":35},"in_reply_to":"3fa7e38b_80806ec0","updated":"2020-01-30 13:15:31.000000000","message":"yeah current policy[1] is admin or owner by default. we do not decide the owner from user but from project.\n\nis this proposal about restricting same project\u0027s user not to change password ? because all users under server owne project should be able to change passowrd.\n\n[1] \u0027os_compute_api:os-admin-password\u0027","commit_id":"a5199d0955d55a52f840b176f6a993c930f34566"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"079dd276626429149a16c62ff8c8ec3cbe03463d","unresolved":false,"context_lines":[{"line_number":30,"context_line":"Use Cases"},{"line_number":31,"context_line":"---------"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"As an administrator, I would like to allow the existing user of the server"},{"line_number":34,"context_line":"to reset its password."},{"line_number":35,"context_line":"As a user (non-admin), I would like to re-gain control over a running guest"},{"line_number":36,"context_line":"when I lost the password by myself."},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"Proposed change"},{"line_number":39,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_bebb89bc","line":36,"range":{"start_line":33,"start_character":0,"end_line":36,"end_character":35},"in_reply_to":"3fa7e38b_81b522d2","updated":"2020-01-13 07:53:39.000000000","message":"A user in vm\u0027s system that he has the unique name, non-admin cannot reset the admin\u0027s password, I think it\u0027s security, because I cannot reset the other user\u0027s password, unless he told me the username.","commit_id":"a5199d0955d55a52f840b176f6a993c930f34566"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"b2c3e6a118752950ffa2a76fbab425f93823dcab","unresolved":false,"context_lines":[{"line_number":30,"context_line":"Use Cases"},{"line_number":31,"context_line":"---------"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"As an administrator, I would like to allow the existing user of the server"},{"line_number":34,"context_line":"to reset its password."},{"line_number":35,"context_line":"As a user (non-admin), I would like to re-gain control over a running guest"},{"line_number":36,"context_line":"when I lost the password by myself."},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"Proposed change"},{"line_number":39,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_7cfc1d40","line":36,"range":{"start_line":33,"start_character":0,"end_line":36,"end_character":35},"in_reply_to":"3fa7e38b_8ae8bd7e","updated":"2020-02-01 09:11:57.000000000","message":"Rescue will interrupt the VM business and use cases collected on the spot, this is not the feature the end user wants.","commit_id":"a5199d0955d55a52f840b176f6a993c930f34566"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"e3d6546387e5d33cf8956237a0e754573ce2fa3c","unresolved":false,"context_lines":[{"line_number":30,"context_line":"Use Cases"},{"line_number":31,"context_line":"---------"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"As an administrator, I would like to allow the existing user of the server"},{"line_number":34,"context_line":"to reset its password."},{"line_number":35,"context_line":"As a user (non-admin), I would like to re-gain control over a running guest"},{"line_number":36,"context_line":"when I lost the password by myself."},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"Proposed change"},{"line_number":39,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_eed390d3","line":36,"range":{"start_line":33,"start_character":0,"end_line":36,"end_character":35},"in_reply_to":"3fa7e38b_bebb89bc","updated":"2020-01-13 11:46:06.000000000","message":"security through obscurity is not security. i could just write a script to do this in a loop with a name list and then try to log in also on both windows and linux non admin account can be in the administrator group meaning the can elevate privladges usually by using there password which you just reset. i know the user names of several of my co workers because they are used on donwstream irc or in jira, when i worked at intel we have public home web shares at an internal webserver/\u003cusername\u003e that we could use to share small scripts like local.confs.   the point being most of the time usernames are well know or guessable if you know the persons name so this is a security risk.","commit_id":"a5199d0955d55a52f840b176f6a993c930f34566"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"03dad460eb32a5eadfcd4bcf8d57d067d1e5bf13","unresolved":false,"context_lines":[{"line_number":30,"context_line":"Use Cases"},{"line_number":31,"context_line":"---------"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"As an administrator, I would like to allow the existing user of the server"},{"line_number":34,"context_line":"to reset its password."},{"line_number":35,"context_line":"As a user (non-admin), I would like to re-gain control over a running guest"},{"line_number":36,"context_line":"when I lost the password by myself."},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"Proposed change"},{"line_number":39,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_8ae8bd7e","line":36,"range":{"start_line":33,"start_character":0,"end_line":36,"end_character":35},"in_reply_to":"3fa7e38b_eacff151","updated":"2020-01-31 01:34:31.000000000","message":"well on that point other then live vm update.\nis this not covered by rescue as you just said.\n\nthe primary usecase is the user forgot the password and they dont want to file a support ticket. if they are not using full drive encryption within the guest then they can use rescue mode to change the password.\n\nif they are using full drive encryption they can still change the password if they know the drive encryption password.","commit_id":"a5199d0955d55a52f840b176f6a993c930f34566"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"b90a5078b2052586d84b8bcee26aa14307119693","unresolved":false,"context_lines":[{"line_number":30,"context_line":"Use Cases"},{"line_number":31,"context_line":"---------"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"As an administrator, I would like to allow the existing user of the server"},{"line_number":34,"context_line":"to reset its password."},{"line_number":35,"context_line":"As a user (non-admin), I would like to re-gain control over a running guest"},{"line_number":36,"context_line":"when I lost the password by myself."},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"Proposed change"},{"line_number":39,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_80806ec0","line":36,"range":{"start_line":33,"start_character":0,"end_line":36,"end_character":35},"in_reply_to":"3fa7e38b_eed390d3","updated":"2020-01-16 06:01:18.000000000","message":"I thought we allow any user in the project to operate the VMs, except we allow the user-based policy, but that we don\u0027t support yet.","commit_id":"a5199d0955d55a52f840b176f6a993c930f34566"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"4525cb221dab8bcb5d55076b200b3e309da6b9a7","unresolved":false,"context_lines":[{"line_number":30,"context_line":"Use Cases"},{"line_number":31,"context_line":"---------"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"As an administrator, I would like to allow the existing user of the server"},{"line_number":34,"context_line":"to reset its password."},{"line_number":35,"context_line":"As a user (non-admin), I would like to re-gain control over a running guest"},{"line_number":36,"context_line":"when I lost the password by myself."},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"Proposed change"},{"line_number":39,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_30f81d7d","line":36,"range":{"start_line":33,"start_character":0,"end_line":36,"end_character":35},"in_reply_to":"3fa7e38b_eed4f04e","updated":"2020-01-30 18:58:35.000000000","message":"this policy is passing the user_id actually[1] so policy override to allow per user should work fine.\n\n[1] https://github.com/openstack/nova/blob/b8f4e469399d2b552023002564e992b3d7616687/nova/api/openstack/compute/admin_password.py#L44","commit_id":"a5199d0955d55a52f840b176f6a993c930f34566"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"634e47061928395933b0b8013a59cdc5e46e522c","unresolved":false,"context_lines":[{"line_number":74,"context_line":""},{"line_number":75,"context_line":"  {"},{"line_number":76,"context_line":"    \"changeUserPassword\": {"},{"line_number":77,"context_line":"          \"user_name\": \"foo_name\","},{"line_number":78,"context_line":"          \"user_passwd\": \"foo_passwd\""},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"    }"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_c1d31a01","line":77,"range":{"start_line":77,"start_character":6,"end_line":77,"end_character":34},"updated":"2020-01-10 12:41:49.000000000","message":"this is the user in the vm.\n\nthis would only work if the vm supported local login by the way. i dont think we would expect this to work if the vm use kerberous or a windows domain login right?","commit_id":"a5199d0955d55a52f840b176f6a993c930f34566"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"634e47061928395933b0b8013a59cdc5e46e522c","unresolved":false,"context_lines":[{"line_number":81,"context_line":""},{"line_number":82,"context_line":"  }"},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"If the requester is a non-admin user, it is not possible to reset the password"},{"line_number":85,"context_line":"for the usernames \"root\" and \"administrator\", otherwise it will raise a 409."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"If the specified user doesn\u0027t exist in the server\u0027s user list, we will"},{"line_number":88,"context_line":"catch the exception in nova-api, and that cannot reset the server\u0027s status"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_61fca670","line":85,"range":{"start_line":84,"start_character":0,"end_line":85,"end_character":76},"updated":"2020-01-10 12:41:49.000000000","message":"see the issue with this is if that is a shared vm it would still  allow the non admin to reset the password of any user on the vm. that said i dont see a way to prevent that and still support letting the user reset there own accrount.","commit_id":"a5199d0955d55a52f840b176f6a993c930f34566"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"634e47061928395933b0b8013a59cdc5e46e522c","unresolved":false,"context_lines":[{"line_number":91,"context_line":"Security impact"},{"line_number":92,"context_line":"---------------"},{"line_number":93,"context_line":""},{"line_number":94,"context_line":"None"},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"Notifications impact"},{"line_number":97,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_8128c2ed","line":94,"range":{"start_line":94,"start_character":0,"end_line":94,"end_character":4},"updated":"2020-01-10 12:41:49.000000000","message":"i think there are several security impacts to this.\n\nas i said above vms are owned by projects not users so this api would presuable allow any user of the poject to reset an user in the vms password. that seam like a pretty big security whole if that vm is shared between users.\n\nin a public cloud env i see a need to be able to disable this feature i also think its likely that users would want to be able to disable this feature rather then have it contoled by the operator. as such i think we would need a hw_user_resetable_password image metadata property or something similar to allow them to enable this feature if they want it but i think it should be disabled by default.\n\nthe alternitve would be to make this an admin only api by default with a new policy rule and allow operators to allow this via modifying the policy rule if the choose.\n\nin either case i dont think we should enable this by default for all vms that have the qemu geust agent enabled.","commit_id":"a5199d0955d55a52f840b176f6a993c930f34566"}]}