Users with ‘Read Only User - Default’ or ‘Support User - Default’ roles are unable to activate and use 2FA #10269
Description
problem
If a user and account are created and the account is assigned either of the default CloudStack roles ‘Read Only User - Default’ or ‘Support User - Default’, it is not possible to use the second factor authentication.
Listing providers to enable 2FA is not possible and therefore the process cannot be completed.
versions
At least in CloudStack 🐵 version 4.18.2.3 and 4.19.1.3
The steps to reproduce the bug
- Create an account using the role ‘Read Only User - Default’ or ‘Support User - Default’.
- Create a user that belongs to the account created in the previous step.
- Log in with the user on a domain that requests 2FA for validation.
- It is not possible to choose the 2FA provider and therefore activate 2FA.
What to do about it?
The expected action would be to list the suppliers for 2FA and the process can be completed.
As a workaround you can create a new role (copying the permissions of the ones affected by the bug) and add these API calls as allowed:
setupUserTwoFactorAuthentication
validateUserTwoFactorAuthenticationCode
listUserTwoFactorAuthenticatorProviders
Metadata
Metadata
Assignees
Labels
No labels