POST /users allows creation of user with no password

I get the nasty security implications, but there may be an underlying store somewhere configured to allow that and we want Keystone to support any underlying store and allow the store to set policies and accept/reject requests.

If you agree with the above, but would still like the reference store implemented on SQLite to not allow that we can make it so... lemme know...

Hey Z,

OK, so the spec says that password is a required piece of information in the PasswordCredentials struct (or at least, the example (page 21) shows a password field and no mention is made that the password is optional.

Indeed, in /keystone/logic/types/auth.py, we see this in PasswordCredentials.from_xml():

            password = root.get("password")
            if password == None:
                raise fault.BadRequestFault("Expecting a password")

So, either the spec or the code needs to change ;)

Plus, I created a test that passes None in the json/xml struct for password, and the server happily let me create the user anyway, so the code above doesn't quite work as expected :)

OK - we can fix (the code, spec, or both). Before I do so, do you agree with the design intent of allowing the spec to support no password and having the backing store determine whether that is allowed or not?

Hmm, I suppose, yes. Although, when we talk about the spec supporting no password, we need to be very clear about which of the following we mean (non-inclusive):

a) In JSON or XML passwordCredentials dict, the password key/attribute is entirely missing
b) In JSON, the password key value is None
c) in XML, the password attribute value is ""

Addressed this issue.