Open
Description
Summary
Hosts, as non-human roles, are intended to only have an API key, and not a password. Setting a host's password is possible by making a request to the API endpoint to change a role's password using curl and a valid form of authentication. The password is then accepted as a valid means of authentication.
Steps to Reproduce
curl -X PUT -v --data My-Passw0rd\! --user 'host/host1:<api_key>' http://<conjur_host>/authn/dev/password
Expected Results
Request to change a host's password should be denied.
Actual Results (including error logs, if applicable)
A successful password change, and HTTP status 204 indicating such.
Reproducible
- Always
- Sometimes
- Non-Reproducible
Version/Tag number
1.10.0
Environment setup
Found using the Conjur development environment detailed here.