Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for 2FA in cmk #145

Open
rohityadavcloud opened this issue Feb 23, 2024 · 6 comments
Open

Add support for 2FA in cmk #145

rohityadavcloud opened this issue Feb 23, 2024 · 6 comments
Assignees
@harikrishna-patnala
Labels
feature
Milestone
6.5.0

Comments

@rohityadavcloud
Copy link
Member

Add support for 2FA in cmk -> automate login and inputs.
@rohityadavcloud rohityadavcloud added this to the 6.4.0 milestone Feb 23, 2024
@rohityadavcloud
Copy link
Member Author

@harikrishna-patnala could you advise how we can detect if 2FA is enabled or an API needs some kind of inputs -> any way to implement that in a better UX way for cmk ?

@rohityadavcloud
Copy link
Member Author

I checked with help from @harikrishna-patnala and found that:

  1. APIs called using apikey/secretkey bypass the 2FA checks; for most ACS/cmk users cmk will not prompt for 2FA code.

  2. For APIs called using username/password for 2FA enabled systems, it suggests users what to run, for example:

(mbx-419-rohit) 🐵 > list volumes
🙈 Error: (HTTP 511, error code <nil>) Unable to process the API request due to :Two factor authentication 2FA is enabled but not verified, please verify 2FA using validateUserTwoFactorAuthenticationCode API before calling other APIs. Existing session is invalidated.
(mbx-419-rohit) 🐵 > validate usertwofactorauthenticationcode -h
validateUserTwoFactorAuthenticationCode: Checks the 2FA code for the user.
Required params: codefor2fa,
API Params               Type     Description
==========               ====     ===========
codefor2fa               string   two factor authentication code
(mbx-419-rohit) 🐵 > validate usertwofactorauthenticationcode codefor2fa=105826
{
  "success": true
}

This means 2FA support in cmk isn't a blocker for cmk / 2FA users. They can still call this manually as the CLI/prompt suggests.

@rohityadavcloud
Copy link
Member Author

Ideally the improvement in cmk would be to do the following:

  1. This applies only when username and password is provided, upon login the response contains whether 2FA is enabled or not:
    {
    "loginresponse": {
    "username": "rohit",
    "userid": "9e9ba412-d3ca-4bf4-aead-768c0b09531f",
    "domainid": "d3806260-e766-11ee-b2c1-525400b612b4",
    "timeout": 1800,
    "account": "rohit",
    "firstname": "Rohit",
    "lastname": "Yadav",
    "type": "0",
    "timezone": "UTC",
    "timezoneoffset": "0.0",
    "registered": "false",
    "sessionkey": "9Gyo6QrVnC4UNd_S9Em64rjlBwE",
    "is2faenabled": "true",
    "is2faverified": "false",
    "providerfor2fa": "totp",
    "issuerfor2fa": "CloudStack"
    }
    }

  2. Next, the validate API should be called after taking user input of the 2FA code such as:

URL: http://172.20.0.86:8080/client/api/?codefor2fa=217258&command=validateUserTwoFactorAuthenticationCode&response=json

Query String Parameters must pass:
codefor2fa: 217258
command: validateUserTwoFactorAuthenticationCode

  1. Upon successful code the following is returned, otherwise cmk may prompt additional input:
    {
    "validateusertwofactorauthenticationcoderesponse": {
    "success": true
    }
    }

@rohityadavcloud rohityadavcloud modified the milestones: 6.4.0, 6.5.0 Mar 21, 2024
@Jayd603
Copy link

Jayd603 commented Jan 28, 2025
edited
Loading

I have both api/secretkey configured and working.

When trying to use createAccount I am getting 2fa failure despite issuing a successful 'login' and 2fa code and receiving a success message.

(admin) 🐱 > login username=admin password='password'

(admin) 🐱 > validateUserTwoFactorAuthenticationCode codefor2fa=643762
{
"success": true
}

(admin) 🐱 > createAccount username=testuser email=info@test.net firstname=Test lastname=User password=testpassword roleid=ce5a99c7-3f9a-4ba1-b52e-f0a1155f2cdf
🙈 Error: (HTTP 511, error code ) Unable to process the API request due to :Two factor authentication 2FA is enabled but not verified, please verify 2FA using validateUserTwoFactorAuthenticationCode API before calling other APIs. Existing session is invalidated.

so this is not implemented or am I doing something else wrong.

EDIT: oh my bad this IS a feature request so I assume not implemented. sorry

@rohityadavcloud
Copy link
Member Author

Hi @Jayd603 you should either just use apikey-secretkey which doesn’t need 2FA or set username and password and use the validate code api. You’re doing both.

If you want to use 2FA, then remove the apikey-secretkey by running the set command with value as blank, next set username and password. Try again.

@Jayd603
Copy link

Jayd603 commented Jan 29, 2025

Hi @Jayd603 you should either just use apikey-secretkey which doesn’t need 2FA or set username and password and use the validate code api. You’re doing both.

If you want to use 2FA, then remove the apikey-secretkey by running the set command with value as blank, next set username and password. Try again.

Ahh I see. api/secretkey do not work with 2fa enabled. Using user/pass with 2fa it worked just fine. Thank you very much.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@harikrishna-patnala harikrishna-patnala

Labels
feature
Projects
None yet
Milestone
6.5.0
Development

No branches or pull requests
3 participants
@rohityadavcloud @harikrishna-patnala @Jayd603