Open rohityadavcloud opened 6 months ago
@harikrishna-patnala could you advise how we can detect if 2FA is enabled or an API needs some kind of inputs -> any way to implement that in a better UX way for cmk ?
I checked with help from @harikrishna-patnala and found that:
APIs called using apikey/secretkey bypass the 2FA checks; for most ACS/cmk users cmk will not prompt for 2FA code.
For APIs called using username/password for 2FA enabled systems, it suggests users what to run, for example:
(mbx-419-rohit) 🐵 > list volumes
🙈 Error: (HTTP 511, error code <nil>) Unable to process the API request due to :Two factor authentication 2FA is enabled but not verified, please verify 2FA using validateUserTwoFactorAuthenticationCode API before calling other APIs. Existing session is invalidated.
(mbx-419-rohit) 🐵 > validate usertwofactorauthenticationcode -h
validateUserTwoFactorAuthenticationCode: Checks the 2FA code for the user.
Required params: codefor2fa,
API Params Type Description
========== ==== ===========
codefor2fa string two factor authentication code
(mbx-419-rohit) 🐵 > validate usertwofactorauthenticationcode codefor2fa=105826
{
"success": true
}
This means 2FA support in cmk isn't a blocker for cmk / 2FA users. They can still call this manually as the CLI/prompt suggests.
Ideally the improvement in cmk
would be to do the following:
This applies only when username and password is provided, upon login the response contains whether 2FA is enabled or not: { "loginresponse": { "username": "rohit", "userid": "9e9ba412-d3ca-4bf4-aead-768c0b09531f", "domainid": "d3806260-e766-11ee-b2c1-525400b612b4", "timeout": 1800, "account": "rohit", "firstname": "Rohit", "lastname": "Yadav", "type": "0", "timezone": "UTC", "timezoneoffset": "0.0", "registered": "false", "sessionkey": "9Gyo6QrVnC4UNd_S9Em64rjlBwE", "is2faenabled": "true", "is2faverified": "false", "providerfor2fa": "totp", "issuerfor2fa": "CloudStack" } }
Next, the validate API should be called after taking user input of the 2FA code such as:
Query String Parameters must pass: codefor2fa: 217258 command: validateUserTwoFactorAuthenticationCode
Add support for 2FA in cmk -> automate login and inputs.