Skip to content

access: prevent login with username-password when command-line credentials given #174

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 25, 2025
Merged

access: prevent login with username-password when command-line credentials given #174

merged 1 commit into from
Aug 25, 2025

Conversation

shwstppr
Copy link
Contributor

@shwstppr shwstppr commented Aug 7, 2025
edited
Loading

Fixes #168

Prevents falling back to username-password login when credentials are passed as command-line argument and authentication fails.

⇒  bin/cmk -d -s anc -k bnm listzones id=b37b6f25-3c68-4fd1-8945-ed1852ca7e64                   
[debug] UpdateConfig key:apikey value:bnm update:false
[debug] UpdateConfig key:secretkey value:anc update:false
[debug] Trying to read API cache from:/home/shwstppr/.cmk/profiles/lab.cache
[debug] cmdline args:bin/cmk, -d, -s, anc, -k, bnm, listzones, id=b37b6f25-3c68-4fd1-8945-ed1852ca7e64
[debug] ExecCmd args: listzones, id=b37b6f25-3c68-4fd1-8945-ed1852ca7e64
[debug] NewAPIRequest API request URL:http://10.1.34.104:8080/client/api?apiKey=bnm&command=listZones&expires=2025-08-13T10%3A24%3A03Z&id=b37b6f25-3c68-4fd1-8945-ed1852ca7e64&response=json&signatureversion=3
[debug] NewAPIRequest response status code:401
[debug] Credentials supplied on command-line, not falling back to login
[debug] NewAPIRequest response body:{"listzonesresponse":{"uuidList":[],"errorcode":401,"errortext":"unable to verify user credentials and/or request signature"}}
🙈 Error: (HTTP 401, error code <nil>) unable to verify user credentials and/or request signature

When using cmk shell, fallback will work as before,

⇒  make run                                                                                      fix-wrongkeys-access| 
▶  Running gofmt…
▶  Building executable… ec3d185
▶  Done!
./bin/cmk
Apache CloudStack 🐵 CloudMonkey 6.4.0
Report issues: https://github.com/apache/cloudstack-cloudmonkey/issues

(lab) 🐱 > set apikey abc
(lab) 🐱 > set secretkey xyz
(lab) 🐱 > set debug true
[debug] UpdateConfig key:debug value:true update:true
[debug] Trying to read API cache from:/home/shwstppr/.cmk/profiles/lab.cache
(lab) 🐱 > listZones
[debug] ExecLine line:listZones
[debug] ExecCmd args: listZones
[debug] NewAPIRequest API request URL:http://10.1.34.104:8080/client/api?apiKey=abc&command=listZones&expires=2025-08-13T10%3A25%3A21Z&response=json&signatureversion=3
[debug] NewAPIRequest response status code:401
[debug] Login POST URL:http://10.1.34.104:8080/client/apimap[command:[login] domain:[] password:[password] response:[json] username:[admin]]
[debug] Login POST response status code:200
[debug] Login response body:{"loginresponse":{"username":"admin","userid":"74d47f65-775b-11f0-8165-1e00b8000b26","domainid":"23aedd87-775b-11f0-8165-1e00b8000b26","timeout":1800,"account":"admin","firstname":"admin","lastname":"cloud","type":"1","timezone":"UTC","timezoneoffset":"0.0","registered":"false","sessionkey":"rEAzq-E0b2YkARTO423lX0rxH2k","is2faenabled":"false","is2faverified":"true","issuerfor2fa":"CloudStack"}}
[debug] Login sessionkey:rEAzq-E0b2YkARTO423lX0rxH2k
[debug] Checking if 2FA is enabled and verified for the user map[account:admin domainid:23aedd87-775b-11f0-8165-1e00b8000b26 firstname:admin is2faenabled:false is2faverified:true issuerfor2fa:CloudStack lastname:cloud registered:false sessionkey:rEAzq-E0b2YkARTO423lX0rxH2k timeout:1800 timezone:UTC timezoneoffset:0.0 type:1 userid:74d47f65-775b-11f0-8165-1e00b8000b26 username:admin]
[debug] 2FA is not enabled for the user, skipping 2FA validation
[debug] NewAPIRequest API request URL:http://10.1.34.104:8080/client/api?apiKey=abc&command=listZones&expires=2025-08-13T10%3A25%3A21Z&response=json&sessionkey=rEAzq-E0b2YkARTO423lX0rxH2k&signature=fFYoHcaaDtrv93FPX7hjiRwia4E%3D&signatureversion=3
[debug] NewAPIRequest response body:{"listzonesresponse":{"count":1,"zone":[{"id":"b37b6f25-3c68-4fd1-8945-ed1852ca7e64","name":"ref-trl-5997-k-Mr9-abhishek-kumar","dns1":"10.1.32.1","dns2":"8.8.8.8","internaldns1":"10.1.32.1","internaldns2":"8.8.4.4","guestcidraddress":"10.1.1.0/24","networktype":"Advanced","securitygroupsenabled":false,"allocationstate":"Enabled","zonetoken":"c759dd00-13f1-3a2d-897f-c2f917a23e39","dhcpprovider":"VirtualRouter","localstorageenabled":false,"tags":[],"allowuserspecifyvrmtu":false,"routerprivateinterfacemaxmtu":1500,"routerpublicinterfacemaxmtu":1500,"type":"Core","isnsxenabled":false,"ismultiarch":false,"asnrange":"","routedmodeenabled":true,"hasannotations":false}]}}
{
  "count": 1,
  "zone": [
    {
      "allocationstate": "Enabled",
      "allowuserspecifyvrmtu": false,
      "asnrange": "",
      "dhcpprovider": "VirtualRouter",
      "dns1": "10.1.32.1",
      "dns2": "8.8.8.8",
      "guestcidraddress": "10.1.1.0/24",
      "hasannotations": false,
      "id": "b37b6f25-3c68-4fd1-8945-ed1852ca7e64",
      "internaldns1": "10.1.32.1",
      "internaldns2": "8.8.4.4",
      "ismultiarch": false,
      "isnsxenabled": false,
      "localstorageenabled": false,
      "name": "ref-trl-5997-k-Mr9-abhishek-kumar",
      "networktype": "Advanced",
      "routedmodeenabled": true,
      "routerprivateinterfacemaxmtu": 1500,
      "routerpublicinterfacemaxmtu": 1500,
      "securitygroupsenabled": false,
      "tags": [],
      "type": "Core",
      "zonetoken": "c759dd00-13f1-3a2d-897f-c2f917a23e39"
    }
  ]
}

@weizhouapache
Copy link
Member

@shwstppr
if in .cmk/config, the apikey and secretkey are wrong, but username and password are correct , will it work ?

@shwstppr
Copy link
Contributor Author

shwstppr commented Aug 7, 2025

@weizhouapache no. I think that is the issue @ingox was mentioning.
Currently, you can set username/password for the admin and apikey/secretkey for any user. If the API call fails with keys, it logs in with username/pass, which could be problematic for the use case Ingo was referring.

@weizhouapache
Copy link
Member

@weizhouapache no. I think that is the issue @ingox was mentioning.

Yes, it is the issue that @ingox reported. It seems like @DaanHoogland and @ingox have agreed it is a bash issue.

Currently, you can set username/password for the admin and apikey/secretkey for any user. If the API call fails with keys, it logs in with username/pass, which could be problematic for the use case Ingo was referring.

my understanding is a bit different.
if users use -s or -k or "set apikey" or "set secretkey" , do not load any profiles in config file, or clean existing profile.
Otherwise, load the profile in config file. if apikey/secretkey are wrong in config file, then use username and password instead.

@shwstppr
Copy link
Contributor Author

shwstppr commented Aug 8, 2025

Thanks @weizhouapache. I don't have a strong opinion either way, so I'm happy to close this if we have agreement, it should work as it is.

@shwstppr shwstppr closed this Aug 8, 2025
@shwstppr shwstppr reopened this Aug 8, 2025
@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 8, 2025
edited
Loading

✅ Build complete for PR #174.

🔗 Download the cmk binaries (expires on August 23, 2025)

@rohityadavcloud rohityadavcloud added this to the 6.5.0 milestone Aug 11, 2025
@DaanHoogland DaanHoogland reopened this Aug 12, 2025
@DaanHoogland
Copy link
Contributor

DaanHoogland commented Aug 12, 2025
edited
Loading

@shwstppr work kind of like expected. I have one functional concern though:

(randy) 🐱 > sync
Discovered 877 APIs
(randy) 🐱 > set apikey 
(randy) 🐱 > sync
Discovered 877 APIs
(randy) 🐱 > set apikey plplpl
(randy) 🐱 > sync
Discovered 877 APIs
(randy) 🐱 > set secretkey plplpl
(randy) 🐱 > sync
🙈 Error: (HTTP 401, error code <nil>) unable to verify user credentials and/or request signature
(randy) 🐱 > set secretkey
(randy) 🐱 > sync
Discovered 877 APIs

as you can see above, setting only a “wrong” APIkey does not stop me from logging in. Is that what we want? I think this does not address all of @ingox concern. In this way we can still fool ourselfves.

~/Downloads/cmk-binaries.pr174/cmk.darwin.arm64 -p randy -k plpl
Apache CloudStack 🐵 CloudMonkey 6.4.0
Report issues: https://github.com/apache/cloudstack-cloudmonkey/issues

(randy) 🐱 > sync
Discovered 877 APIs
(randy) 🐱 > exit
~/Downloads/cmk-binaries.pr174/cmk.darwin.arm64 -p randy -k <good key>
Apache CloudStack 🐵 CloudMonkey 6.4.0
Report issues: https://github.com/apache/cloudstack-cloudmonkey/issues

(randy) 🐱 > sync
Discovered 877 APIs
(randy) 🐱 > exit
~/Downloads/cmk-binaries.pr174/cmk.darwin.arm64 -p randy -k <good key> -s <good key>
Apache CloudStack 🐵 CloudMonkey 6.4.0
Report issues: https://github.com/apache/cloudstack-cloudmonkey/issues

(randy) 🐱 > sync
Discovered 877 APIs
(randy) 🐱 > exit
~/Downloads/cmk-binaries.pr174/cmk.darwin.arm64 -p randy -k <good key> -s <bad key>
Apache CloudStack 🐵 CloudMonkey 6.4.0
Report issues: https://github.com/apache/cloudstack-cloudmonkey/issues

(randy) 🐱 > sync
Discovered 877 APIs

when not using a profile as the basis it works as expected btw:

~/Downloads/cmk-binaries.pr174/cmk.darwin.arm64 -k <good key> -s <good key> -u http://10.0.34.242:8080/client/api
Apache CloudStack 🐵 CloudMonkey 6.4.0
Report issues: https://github.com/apache/cloudstack-cloudmonkey/issues

(randy) 🐱 > sync
Discovered 877 APIs
(randy) 🐱 > exit
~/Downloads/cmk-binaries.pr174/cmk.darwin.arm64 -k <good key> -s <bad key> -u http://10.0.34.242:8080/client/api
Apache CloudStack 🐵 CloudMonkey 6.4.0
Report issues: https://github.com/apache/cloudstack-cloudmonkey/issues

(randy) 🐱 > sync
🙈 Error: (HTTP 401, error code <nil>) unable to verify user credentials and/or request signature

What do you think about my comment here ? In short, I would expect any configured credentials to be ignored once the CLI contains any credentials.

@shwstppr
Copy link
Contributor Author

@DaanHoogland I think this needs a bit more discussion. I agree that if valid credentials are available, any invalid ones should be ignored. However, the use case @ingox raised is also valid.

One option is to add a config flag—say, allowfallback—to toggle this behaviour. Alternatively, to keep cmk simple, we could avoid a new setting and address Ingo’s scenario with a few preparatory steps before setting keys (e.g., clear stale credentials, explicitly select the target profile, and validate with a quick API call).
cmk set profile user
cmk set username <USER_ACCOUNT_NAME>
cmk -s -k

I'm converting this to draft for now

@shwstppr shwstppr marked this pull request as draft August 12, 2025 10:00
@DaanHoogland
Copy link
Contributor

@ingox can you read #174 (comment) and #174 (comment) and give your opinion, please?

@shwstppr shwstppr force-pushed the fix-wrongkeys-access branch from a6b815c to ec3d185 Compare August 13, 2025 10:06
@shwstppr shwstppr changed the title access: prevent login with username-password when using wrong keys access: prevent login with username-password when command-line credentials given Aug 13, 2025
@shwstppr
Copy link
Contributor Author

@ingox @DaanHoogland @weizhouapache can you please check now

(PR description updated)

@shwstppr shwstppr marked this pull request as ready for review August 13, 2025 10:14
@DaanHoogland
Copy link
Contributor

✅ Build complete for PR #174.

🔗 Download the cmk binaries (expires on August 23, 2025)

@ingox can you download these files and do a test with the version for your platform, please?

DaanHoogland
DaanHoogland approved these changes Aug 14, 2025
View reviewed changes
Copy link
Contributor

@DaanHoogland DaanHoogland left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

clgtm

@ingox
Copy link

ingox commented Aug 14, 2025

Hello all,
here are my test results using CloudMonkey 6.4.0 (build: ec3d185, 2025-08-13T10:07:02+0000)
./cmk.linux.x86-64 -k right -s right #once loged in: list users --> I'm a user
./cmk.linux.x86-64 -k wrong -s wrong #once loged in: list users --> I'm admin
./cmk.linux.x86-64 -k right -s right list users --> I'm a user
./cmk.linux.x86-64 -k wrong -s wrong list users --> Error: (HTTP 401, error code ) unable to verify user credentials and/or request signature

So there is a different behavior between passing the command directly or logging into cmk and run the command from there.

@shwstppr
Copy link
Contributor Author

@ingox my understanding was we agreed to this behaviour #168 (comment)
In cmk shell, we are trying both means of authentication because we are relying on the profile

@DaanHoogland
Copy link
Contributor

@ingox @shwstppr , independent of the answer, I think this is an improvement as is and we can merge. We can discuss the extra scenario independently , or is there some design impediment in this code for further blocking when in the shell?

kiranchavala
kiranchavala approved these changes Aug 18, 2025
View reviewed changes
Copy link

@kiranchavala kiranchavala left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM verified manually

Before fix

cmk -d -s B5iRTjItgNnOAyK5QAIsdyNQLY6n2X_Q702mRMe1nQuu3JRS3faltqtHFIbvZZxomssmqtAawEcunJ2g39tmyw -k -MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3Hg list users filter=account,username
[debug] UpdateConfig key:apikey value:-MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3Hg update:false
[debug] UpdateConfig key:secretkey value:B5iRTjItgNnOAyK5QAIsdyNQLY6n2X_Q702mRMe1nQuu3JRS3faltqtHFIbvZZxomssmqtAawEcunJ2g39tmyw update:false
[debug] Trying to read API cache from:/Users/kiranchavala/.cmk/profiles/admin.cache
[debug] cmdline args:cmk, -d, -s, B5iRTjItgNnOAyK5QAIsdyNQLY6n2X_Q702mRMe1nQuu3JRS3faltqtHFIbvZZxomssmqtAawEcunJ2g39tmyw, -k, -MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3Hg, list, users, filter=account,username
[debug] ExecCmd args: list, users, filter=account,username
[debug] NewAPIRequest API request URL:http://10.0.35.15:8080/client/api?apiKey=-MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3Hg&command=listUsers&expires=2025-08-18T10%3A22%3A05Z&filter=account%2Cusername&response=json&signatureversion=3
[debug] NewAPIRequest response status code:200
[debug] NewAPIRequest response body:{"listusersresponse":{"count":1,"user":[{"id":"d15245cc-60fd-4144-b98d-8730d9be6900","username":"user","firstname":"ACloudStack","lastname":"User","email":"[email protected]","created":"2025-08-12T04:22:09+0000","state":"enabled","account":"ACSUser","accounttype":0,"usersource":"native","roleid":"1c12c75a-7731-11f0-9a5b-1e00900003a2","roletype":"User","rolename":"User","domainid":"f8f8593c-7730-11f0-9a5b-1e00900003a2","domain":"ROOT","timezone":"Etc/UTC","apikey":"-MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3Hg","accountid":"8a54a7ab-001c-4896-a3b8-e62754b96d64","iscallerchilddomain":false,"isdefault":false,"is2faenabled":false,"is2famandated":false}]}}
{
  "count": 1,
  "user": [
    {
      "account": "ACSUser",
      "username": "user"
    }
  ]
}


cmk -d -s B5iRTjItgNnOAyK5QAIsdyNQLY6n2X_Q702mRMe1nQuu3JRS3faltqtHFIbvZZxomssmqtAawEcunJ2g39tmyw -k -MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3H list users filter=account,username
[debug] UpdateConfig key:apikey value:-MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3H update:false
[debug] UpdateConfig key:secretkey value:B5iRTjItgNnOAyK5QAIsdyNQLY6n2X_Q702mRMe1nQuu3JRS3faltqtHFIbvZZxomssmqtAawEcunJ2g39tmyw update:false
[debug] Trying to read API cache from:/Users/kiranchavala/.cmk/profiles/admin.cache
[debug] cmdline args:cmk, -d, -s, B5iRTjItgNnOAyK5QAIsdyNQLY6n2X_Q702mRMe1nQuu3JRS3faltqtHFIbvZZxomssmqtAawEcunJ2g39tmyw, -k, -MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3H, list, users, filter=account,username
[debug] ExecCmd args: list, users, filter=account,username
[debug] NewAPIRequest API request URL:http://10.0.35.15:8080/client/api?apiKey=-MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3H&command=listUsers&expires=2025-08-18T10%3A22%3A20Z&filter=account%2Cusername&response=json&signatureversion=3
[debug] NewAPIRequest response status code:401
[debug] Login POST URL:http://10.0.35.15:8080/client/apimap[command:[login] domain:[/] password:[password] response:[json] username:[admin]]
[debug] Login POST response status code:200
[debug] Login sessionkey:ZdHDdfq5-ej3KQDFsNr-BGfIbIc
[debug] NewAPIRequest API request URL:http://10.0.35.15:8080/client/api?apiKey=-MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3H&command=listUsers&expires=2025-08-18T10%3A22%3A20Z&filter=account%2Cusername&response=json&sessionkey=ZdHDdfq5-ej3KQDFsNr-BGfIbIc&signature=k7uHmJKogVnHRTRj9uiccr5MAtM%3D&signatureversion=3
[debug] NewAPIRequest response body:{"listusersresponse":{"count":2,"user":[{"id":"41b07ac1-7731-11f0-9a5b-1e00900003a2","username":"admin","firstname":"admin","lastname":"cloud","created":"2025-08-12T04:03:08+0000","state":"enabled","account":"admin","accounttype":1,"usersource":"native","roleid":"1c126e6f-7731-11f0-9a5b-1e00900003a2","roletype":"Admin","rolename":"Root Admin","domainid":"f8f8593c-7730-11f0-9a5b-1e00900003a2","domain":"ROOT","apikey":"LIN6rqXuaJwMPfGYFh13qDwYz5VNNz1J2J6qIOWcd3oLQOq0WtD4CwRundBL6rzXToa3lQOC_vKjI3nkHtiD8Q","accountid":"41afc720-7731-11f0-9a5b-1e00900003a2","iscallerchilddomain":false,"isdefault":true,"is2faenabled":false,"is2famandated":false,"apikeyaccess":"INHERIT"},{"id":"d02cbd60-73aa-4298-a088-11e1ddf5a0dc","username":"admin-kubeadmin","firstname":"admin","lastname":"kubeadmin","email":"kubeadmin","created":"2025-08-13T07:49:48+0000","state":"enabled","account":"admin","accounttype":1,"usersource":"native","roleid":"1c126e6f-7731-11f0-9a5b-1e00900003a2","roletype":"Admin","rolename":"Root Admin","domainid":"f8f8593c-7730-11f0-9a5b-1e00900003a2","domain":"ROOT","apikey":"Yx4kYMSdNcJYrCdKFQfPTTYyJzJkHXqS5oWCX6IK1x-G31VBvfSKTFMQXz7UFbi4c3WerSEYF9B44Jpp2tvxdA","accountid":"41afc720-7731-11f0-9a5b-1e00900003a2","iscallerchilddomain":false,"isdefault":false,"is2faenabled":false,"is2famandated":false,"apikeyaccess":"INHERIT"}]}}
{
  "count": 2,
  "user": [
    {
      "account": "admin",
      "username": "admin"
    },
    {
      "account": "admin",
      "username": "admin-kubeadmin"
    }
  ]
}

After fix


bin/cmk -d -s B5iRTjItgNnOAyK5QAIsdyNQLY6n2X_Q702mRMe1nQuu3JRS3faltqtHFIbvZZxomssmqtAawEcunJ2g39tmyw -k -MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3Hg list users filter=account,username
[debug] UpdateConfig key:apikey value:-MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3Hg update:false
[debug] UpdateConfig key:secretkey value:B5iRTjItgNnOAyK5QAIsdyNQLY6n2X_Q702mRMe1nQuu3JRS3faltqtHFIbvZZxomssmqtAawEcunJ2g39tmyw update:false
[debug] Trying to read API cache from:/Users/kiranchavala/.cmk/profiles/admin.cache
[debug] cmdline args:bin/cmk, -d, -s, B5iRTjItgNnOAyK5QAIsdyNQLY6n2X_Q702mRMe1nQuu3JRS3faltqtHFIbvZZxomssmqtAawEcunJ2g39tmyw, -k, -MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3Hg, list, users, filter=account,username
[debug] ExecCmd args: list, users, filter=account,username
[debug] NewAPIRequest API request URL:http://10.0.35.15:8080/client/api?apiKey=-MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3Hg&command=listUsers&expires=2025-08-18T10%3A20%3A46Z&filter=account%2Cusername&response=json&signatureversion=3
[debug] NewAPIRequest response status code:200
[debug] Credentials supplied on command-line, not falling back to login
[debug] NewAPIRequest response body:{"listusersresponse":{"count":1,"user":[{"id":"d15245cc-60fd-4144-b98d-8730d9be6900","username":"user","firstname":"ACloudStack","lastname":"User","email":"[email protected]","created":"2025-08-12T04:22:09+0000","state":"enabled","account":"ACSUser","accounttype":0,"usersource":"native","roleid":"1c12c75a-7731-11f0-9a5b-1e00900003a2","roletype":"User","rolename":"User","domainid":"f8f8593c-7730-11f0-9a5b-1e00900003a2","domain":"ROOT","timezone":"Etc/UTC","apikey":"-MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3Hg","accountid":"8a54a7ab-001c-4896-a3b8-e62754b96d64","iscallerchilddomain":false,"isdefault":false,"is2faenabled":false,"is2famandated":false}]}}
{
  "count": 1,
  "user": [
    {
      "account": "ACSUser",
      "username": "user"
    }
  ]
}




bin/cmk -d -s B5iRTjItgNnOAyK5QAIsdyNQLY6n2X_Q702mRMe1nQuu3JRS3faltqtHFIbvZZxomssmqtAawEcunJ2g39tmyw -k -MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3H list users filter=account,username
[debug] UpdateConfig key:apikey value:-MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3H update:false
[debug] UpdateConfig key:secretkey value:B5iRTjItgNnOAyK5QAIsdyNQLY6n2X_Q702mRMe1nQuu3JRS3faltqtHFIbvZZxomssmqtAawEcunJ2g39tmyw update:false
[debug] Trying to read API cache from:/Users/kiranchavala/.cmk/profiles/admin.cache
[debug] cmdline args:bin/cmk, -d, -s, B5iRTjItgNnOAyK5QAIsdyNQLY6n2X_Q702mRMe1nQuu3JRS3faltqtHFIbvZZxomssmqtAawEcunJ2g39tmyw, -k, -MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3H, list, users, filter=account,username
[debug] ExecCmd args: list, users, filter=account,username
[debug] NewAPIRequest API request URL:http://10.0.35.15:8080/client/api?apiKey=-MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3H&command=listUsers&expires=2025-08-18T10%3A20%3A54Z&filter=account%2Cusername&response=json&signatureversion=3
[debug] NewAPIRequest response status code:401
[debug] Credentials supplied on command-line, not falling back to login
[debug] NewAPIRequest response body:{"listusersresponse":{"uuidList":[],"errorcode":401,"errortext":"unable to verify user credentials and/or request signature"}}
🙈 Error: (HTTP 401, error code <nil>) unable to verify user credentials and/or request signature

@shwstppr
Copy link
Contributor Author

@ingox @shwstppr , independent of the answer, I think this is an improvement as is and we can merge. We can discuss the extra scenario independently , or is there some design impediment in this code for further blocking when in the shell?

@DaanHoogland I'm okay if you want to continue with this and maybe close or update issue #168 accordingly

@DaanHoogland
Copy link
Contributor

to be clear @shwstppr , I am alright with merging this, it is a clear improvement. The question is if @ingox thinks if it is enough and closes his issue.

@ingox
Copy link

ingox commented Aug 19, 2025

@shwstppr and @DaanHoogland This is definitely an improvement for this scenario. It will still leave some risk once you're in cmk. I cannot judge the risk of breaking something else if same behavior gets implemented for within cmk.

@shwstppr
Copy link
Contributor Author

@ingox for now, I think it is safe to limit the new behaviour to command-line case. Otherwise, we can introduce a new config to allow supporting both old and new behaviour. If you are okay, I'll merge this, close your issue and open a new ticket where we can discuss or decide the behaviour for shell case?

@weizhouapache
Copy link
Member

@shwstppr @DaanHoogland @ingox

sorry for late comment

my idea is a bit radical: we should forget the current keys and user credentials when user tries to use another user (different env, domain/username, or apikey/secretkey)

To be clear,

  • cmk without arguments: load the default profile. fallback to username if keys do not work.
  • cmk with profile: load the specified profile. fallback to username if keys do not work.
  • cmk with -s or -k: load the endpoint URL from default/specified profile or passed by -u. But forget the domain/username/password/apikey/secretkey in profiles
  • set apikey or set secretkey in cmk shell: forget the domain/username/password/apikey/secretkey loaded from profiles
  • set domain to a different value : forget the domain/username/password/apikey/secretkey loaded from profiles
  • set username to a different value : forget the username/password/apikey/secretkey loaded from profiles

@shwstppr
Copy link
Contributor Author

@weizhouapache I feel a little too radical 😀

With this if I do,

set user testuser
set domain testdomain

Won't it forget testuser as soon as I set domain?

@weizhouapache
Copy link
Member

@weizhouapache I feel a little too radical 😀

With this if I do,

set user testuser
set domain testdomain

Won't it forget testuser as soon as I set domain?

to be user-friendly, I think it is better do not forget the user when set the domain. but it increases the complexity.

@ingox
Copy link

ingox commented Aug 21, 2025

@shwstppr @DaanHoogland @ingox

sorry for late comment

my idea is a bit radical: we should forget the current keys and user credentials when user tries to use another user (different env, domain/username, or apikey/secretkey)

To be clear,

* cmk without arguments: load the default profile. fallback to username if keys do not work.

* cmk with profile: load the specified profile. fallback to username if keys do not work.

* cmk with -s or -k: load the endpoint URL from default/specified profile or passed by `-u`. But forget the domain/username/password/apikey/secretkey in profiles

* `set apikey` or `set secretkey` in cmk shell:  forget the domain/username/password/apikey/secretkey loaded from profiles

* `set domain` to a different value : forget the domain/username/password/apikey/secretkey loaded from profiles

* `set username` to a different value : forget the username/password/apikey/secretkey loaded from profiles

That is a consistent approach and understandable.

@shwstppr
Copy link
Contributor Author

@ingox @weizhouapache @DaanHoogland if you don't have objections I'll merge this PR and we can create a new issue around better handling of credentials?

@shwstppr
Copy link
Contributor Author

shwstppr commented Aug 25, 2025
edited
Loading

Merging this and creating a new issue to discuss and address credential change especially in cmk shell or when setting credentials individually. #188

@shwstppr shwstppr mentioned this pull request Aug 25, 2025
Open
@shwstppr shwstppr merged commit 068275e into apache:main Aug 25, 2025
6 checks passed
@shwstppr shwstppr deleted the fix-wrongkeys-access branch August 25, 2025 12:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kiranchavala kiranchavala kiranchavala approved these changes

@DaanHoogland DaanHoogland DaanHoogland approved these changes

@Pearl1594 Pearl1594 Awaiting requested review from Pearl1594

@weizhouapache weizhouapache Awaiting requested review from weizhouapache

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
6.5.0
Development

Successfully merging this pull request may close these issues.

Credential fall back
6 participants
@shwstppr @weizhouapache @DaanHoogland @ingox @kiranchavala @rohityadavcloud