Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for 2FA in cmk #145

Open
rohityadavcloud opened this issue Feb 23, 2024 · 3 comments
Open

Add support for 2FA in cmk #145

rohityadavcloud opened this issue Feb 23, 2024 · 3 comments
Assignees
@harikrishna-patnala
Labels
feature
Milestone
6.5.0

Comments

@rohityadavcloud
Copy link
Member

Add support for 2FA in cmk -> automate login and inputs.
@rohityadavcloud rohityadavcloud added this to the 6.4.0 milestone Feb 23, 2024
@rohityadavcloud
Copy link
Member Author

@harikrishna-patnala could you advise how we can detect if 2FA is enabled or an API needs some kind of inputs -> any way to implement that in a better UX way for cmk ?

@rohityadavcloud
Copy link
Member Author

I checked with help from @harikrishna-patnala and found that:

  1. APIs called using apikey/secretkey bypass the 2FA checks; for most ACS/cmk users cmk will not prompt for 2FA code.

  2. For APIs called using username/password for 2FA enabled systems, it suggests users what to run, for example:

(mbx-419-rohit) 🐵 > list volumes
🙈 Error: (HTTP 511, error code <nil>) Unable to process the API request due to :Two factor authentication 2FA is enabled but not verified, please verify 2FA using validateUserTwoFactorAuthenticationCode API before calling other APIs. Existing session is invalidated.
(mbx-419-rohit) 🐵 > validate usertwofactorauthenticationcode -h
validateUserTwoFactorAuthenticationCode: Checks the 2FA code for the user.
Required params: codefor2fa,
API Params               Type     Description
==========               ====     ===========
codefor2fa               string   two factor authentication code
(mbx-419-rohit) 🐵 > validate usertwofactorauthenticationcode codefor2fa=105826
{
  "success": true
}

This means 2FA support in cmk isn't a blocker for cmk / 2FA users. They can still call this manually as the CLI/prompt suggests.

@rohityadavcloud
Copy link
Member Author

Ideally the improvement in cmk would be to do the following:

  1. This applies only when username and password is provided, upon login the response contains whether 2FA is enabled or not:
    {
    "loginresponse": {
    "username": "rohit",
    "userid": "9e9ba412-d3ca-4bf4-aead-768c0b09531f",
    "domainid": "d3806260-e766-11ee-b2c1-525400b612b4",
    "timeout": 1800,
    "account": "rohit",
    "firstname": "Rohit",
    "lastname": "Yadav",
    "type": "0",
    "timezone": "UTC",
    "timezoneoffset": "0.0",
    "registered": "false",
    "sessionkey": "9Gyo6QrVnC4UNd_S9Em64rjlBwE",
    "is2faenabled": "true",
    "is2faverified": "false",
    "providerfor2fa": "totp",
    "issuerfor2fa": "CloudStack"
    }
    }

  2. Next, the validate API should be called after taking user input of the 2FA code such as:

URL: http://172.20.0.86:8080/client/api/?codefor2fa=217258&command=validateUserTwoFactorAuthenticationCode&response=json

Query String Parameters must pass:
codefor2fa: 217258
command: validateUserTwoFactorAuthenticationCode

  1. Upon successful code the following is returned, otherwise cmk may prompt additional input:
    {
    "validateusertwofactorauthenticationcoderesponse": {
    "success": true
    }
    }

@rohityadavcloud rohityadavcloud modified the milestones: 6.4.0, 6.5.0 Mar 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@harikrishna-patnala harikrishna-patnala

Labels
feature
Projects
None yet
Milestone
6.5.0
Development

No branches or pull requests
2 participants
@rohityadavcloud @harikrishna-patnala