The Grid Administrator User can post new password without inputting currentPassword. Is it expected behavior?
Applies to
StorageGRID
Answer
- Yes. It is a correct behavior by design.
- The Grid Administrator User has root permission as a superuser.
- To reset someone's password, it is not necessary to know the current password for that person.
Note: The permission requirements are different for current-user and other-user endpoints.
Additional Information
- Update a local Grid Administrator User password by unique name using the following command.
POST /grid/users/user/{shortName}/change-password
Example:
Curl
curl -X POST "https://10.64.24.95/api/v3/grid/users/user/api_test/change-password" -H "accept: application/json" -H "Authorization: Bearer 224a741d-47b3-4e50-a3a0-7dc9f4070e71" -H "Content-Type: application/json" -H "X-Csrf-Token: c0c1ab7d204fc8bcbfe68c2e02589e94" -d "{ \"password\": \"87654321\", \"currentPassword\": \"\"}"
Server response
Code Description
204 successfully updated
- Update the current Grid Administrator User's password using the following command.
POST /grid/users/current-user/change-password
Example:
Curl
curl -X POST "https://10.64.24.95/api/v3/grid/users/current-user/change-password" -H "accept: application/json" -H "Content-Type: application/json" -H "X-Csrf-Token: fa434a2773c84f3688a951fb718290df" -d "{ \"password\": \"12345678\", \"currentPassword\": \"\"}"
Server response
422 Error: Unprocessable Entity
Response body
{
"errors": [
{
"text": "Currentpassword can't be blank.",
"key": "error.i18n.validation",
"context": "currentPassword"
}
],