[NEW] Let user change his own password

[gkorland]

The problem/use-case that the feature addresses

Currently the only way to change your own password is by using ACL command
And users without Admin right should not have access to this command

Description of the feature

Add command or some API to allow the user change his password

SETPASS <password>

• >password: Adds the specified clear text password as a hashed password in the list of the users passwords. Every user can have many active passwords, so that password rotation will be simpler. The specified password is not stored as clear text inside the server. Example: >mypassword.

• #<hashedpassword>: Adds the specified hashed password to the list of user passwords. A Redis hashed password is hashed with SHA256 and translated into a hexadecimal string. Example: #c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2.

• <password: Like >password but removes the password instead of adding it.

• !<hashedpassword>: Like # but removes the password instead of adding it.

[madolson]

I like this idea, I would be OK with implementing this.

The only alternative is that we talked about implementing flags on users, one of those could be that you can only update your own password.

[hpatro]

Currently all the permissions (command access/keyspace access/channel access/modifying password) are all tied up under ACL SETUSER. The question I've is do users update their own passwords, Isn't it generally performed by administrators? Under which scenario do you see users updating their passwords on their own?

If we decide to build this. We could maybe make this a sub-command of ACL itself. Users can be granted specific permission for that via +ACL|SETPASS.

ACL SETPASS <user> <symbol><password>