You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by "rohityadavcloud (via GitHub)" <gi...@apache.org> on 2024/02/23 11:07:17 UTC

[I] Add support for 2FA in cmk [cloudstack-cloudmonkey]

rohityadavcloud opened a new issue, #145:
URL: https://github.com/apache/cloudstack-cloudmonkey/issues/145

   Add support for 2FA in cmk -> automate login and inputs.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@cloudstack.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [I] Add support for 2FA in cmk [cloudstack-cloudmonkey]

Posted by "rohityadavcloud (via GitHub)" <gi...@apache.org>.
rohityadavcloud commented on issue #145:
URL: https://github.com/apache/cloudstack-cloudmonkey/issues/145#issuecomment-1961134519

   @harikrishna-patnala could you advise how we can detect if 2FA is enabled or an API needs some kind of inputs -> any way to implement that in a better UX way for cmk ?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [I] Add support for 2FA in cmk [cloudstack-cloudmonkey]

Posted by "rohityadavcloud (via GitHub)" <gi...@apache.org>.
rohityadavcloud commented on issue #145:
URL: https://github.com/apache/cloudstack-cloudmonkey/issues/145#issuecomment-2011832202

   Ideally the improvement in `cmk` would be to do the following:
   
   1. This applies only when username and password is provided, upon login the response contains whether 2FA is enabled or not:
   {
       "loginresponse": {
           "username": "rohit",
           "userid": "9e9ba412-d3ca-4bf4-aead-768c0b09531f",
           "domainid": "d3806260-e766-11ee-b2c1-525400b612b4",
           "timeout": 1800,
           "account": "rohit",
           "firstname": "Rohit",
           "lastname": "Yadav",
           "type": "0",
           "timezone": "UTC",
           "timezoneoffset": "0.0",
           "registered": "false",
           "sessionkey": "9Gyo6QrVnC4UNd_S9Em64rjlBwE",
           "is2faenabled": "true",
           "is2faverified": "false",
           "providerfor2fa": "totp",
           "issuerfor2fa": "CloudStack"
       }
   }
   
   2. Next, the validate API should be called after taking user input of the 2FA code such as:
   
   URL: http://172.20.0.86:8080/client/api/?codefor2fa=217258&command=validateUserTwoFactorAuthenticationCode&response=json
   
   Query String Parameters must pass:
   codefor2fa: 217258
   command: validateUserTwoFactorAuthenticationCode
   
   3. Upon successful code the following is returned, otherwise cmk may prompt additional input:
   {
       "validateusertwofactorauthenticationcoderesponse": {
           "success": true
       }
   }


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [I] Add support for 2FA in cmk [cloudstack-cloudmonkey]

Posted by "rohityadavcloud (via GitHub)" <gi...@apache.org>.
rohityadavcloud commented on issue #145:
URL: https://github.com/apache/cloudstack-cloudmonkey/issues/145#issuecomment-2011824280

   I checked with help from @harikrishna-patnala and found that:
   
   1. APIs called using apikey/secretkey bypass the 2FA checks; for most ACS/cmk users cmk will not prompt for 2FA code.
   
   2. For APIs called using username/password for 2FA enabled systems, it suggests users what to run, for example:
   ```
   (mbx-419-rohit) 🐵 > list volumes
   🙈 Error: (HTTP 511, error code <nil>) Unable to process the API request due to :Two factor authentication 2FA is enabled but not verified, please verify 2FA using validateUserTwoFactorAuthenticationCode API before calling other APIs. Existing session is invalidated.
   (mbx-419-rohit) 🐵 > validate usertwofactorauthenticationcode -h
   validateUserTwoFactorAuthenticationCode: Checks the 2FA code for the user.
   Required params: codefor2fa,
   API Params               Type     Description
   ==========               ====     ===========
   codefor2fa               string   two factor authentication code
   (mbx-419-rohit) 🐵 > validate usertwofactorauthenticationcode codefor2fa=105826
   {
     "success": true
   }
   ```
   
   This means 2FA support in cmk isn't a blocker for cmk / 2FA users. They can still call this manually as the CLI/prompt suggests.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org