Fix doc menu left broken links

.readthedocs.yaml

@@ -1,5 +1,8 @@
 version: 2
 
+sphinx:
+  configuration: source/conf.py
+
 build:
   os: "ubuntu-22.04"
   tools:

README.rst

@@ -90,7 +90,7 @@ On your computer, follow these steps to setup a local repository for working on
 .. code:: bash
 
    $ git clone https://github.com/YOUR_ACCOUNT/cloudstack-documentation.git
-   $ cd cloudstack-docs-install
+   $ cd cloudstack-documentation
    $ git remote add upstream https://github.com/apache/cloudstack-documentation.git
    $ git checkout main
    $ git fetch upstream

requirements.txt

@@ -2,4 +2,4 @@ docutils==0.20.1
 Sphinx==7.2.6
 sphinx-rtd-theme==2.0.0
 readthedocs-sphinx-ext==2.2.5
-Jinja2==3.1.3
+Jinja2==3.1.5

source/_global.rst

@@ -25,19 +25,20 @@
 
 .. Latest version systemvm template name
 
-.. |sysvm64-version|     replace:: 4.19.1
-.. |sysvm64-name-xen|    replace:: systemvm-xenserver-4.19.1
-.. |sysvm64-name-kvm|    replace:: systemvm-kvm-4.19.1
-.. |sysvm64-name-vmware| replace:: systemvm-vmware-4.19.1
-.. |sysvm64-name-hyperv| replace:: systemvm-hyperv-4.19.1
-.. |sysvm64-name-ovm|    replace:: systemvm-ovm-4.19.1
+.. |sysvm64-version|     replace:: 4.20.1
+.. |sysvm64-name-xen|    replace:: systemvm-xenserver-4.20.1-x86_64
+.. |sysvm64-name-kvm|    replace:: systemvm-kvm-4.20.1-x86_64
+.. |sysvm64-name-vmware| replace:: systemvm-vmware-4.20.1-x86_64
+.. |sysvm64-name-hyperv| replace:: systemvm-hyperv-4.20.1-x86_64
+.. |sysvm64-name-ovm|    replace:: systemvm-ovm-4.20.1-x86_64
 
 .. Latest version systemvm template URL
-.. |sysvm64-url-xen|    replace:: http://download.cloudstack.org/systemvm/4.19/systemvmtemplate-4.19.1-xen.vhd.bz2
-.. |sysvm64-url-kvm|    replace:: http://download.cloudstack.org/systemvm/4.19/systemvmtemplate-4.19.1-kvm.qcow2.bz2
-.. |sysvm64-url-vmware| replace:: http://download.cloudstack.org/systemvm/4.19/systemvmtemplate-4.19.1-vmware.ova
-.. |sysvm64-url-hyperv| replace:: http://download.cloudstack.org/systemvm/4.19/systemvmtemplate-4.19.1-hyperv.vhd.zip
-.. |sysvm64-url-ovm|    replace:: http://download.cloudstack.org/systemvm/4.19/systemvmtemplate-4.19.1-ovm.raw.bz2
+.. |sysvm64-url-xen|            replace:: http://download.cloudstack.org/systemvm/4.20/systemvmtemplate-4.20.1-x86_64-xen.vhd.bz2
+.. |sysvm64-url-kvm|            replace:: http://download.cloudstack.org/systemvm/4.20/systemvmtemplate-4.20.1-x86_64-kvm.qcow2.bz2
+.. |sysvm64-url-kvm-aarch64|    replace:: http://download.cloudstack.org/systemvm/4.20/systemvmtemplate-4.20.1-aarch64-kvm.qcow2.bz2
+.. |sysvm64-url-vmware|         replace:: http://download.cloudstack.org/systemvm/4.20/systemvmtemplate-4.20.1-x86_64-vmware.ova
+.. |sysvm64-url-hyperv|         replace:: http://download.cloudstack.org/systemvm/4.20/systemvmtemplate-4.20.1-x86_64-hyperv.vhd.zip
+.. |sysvm64-url-ovm|            replace:: http://download.cloudstack.org/systemvm/4.20/systemvmtemplate-4.20.1-x86_64-ovm.raw.bz2
 
 .. Images
 

source/adminguide/accounts.rst

@@ -481,37 +481,77 @@ to be applied through the API call described above.
 
 
 In addition to those shown in the example script above, the following
-configuration items can be configured (the default values are for
-openldap)
+configuration items can be configured on a Global or on a per Domain level (the default values are for
+OpenLDAP) 
+
+.. list-table:: LDAP Settings
+   :header-rows: 1
+
+   * - Setting
+     - OpenLDAP
+     - Active Directory
+     - Description
+   * - ``ldap.basedn``
+     - `Ex: OU=APAC, DC=company, DC=com`
+     - `Ex: DC=company, DC=com`
+     - Sets the basedn for LDAP.
+   * - ``ldap.search.group.principle``
+     - `Ex: CN=ACSGroup, DC=company, DC=com`
+     - `Ex: CN=ACSGroup, CN=Users, DC=company, DC=com`
+     - (optional) if set only Users from this group are listed.
+   * - ``ldap.bind.principal``
+     - `Ex: CN=ACSServiceAccount, OU=APAC, DC=company, DC=com`
+     - `Ex: CN=ACSServiceAccount, CN=Users, DC=company, DC=com`
+     - Service account that can list all the Users in the above basedn. Avoid using privileged account such as Administrator.
+   * - ``ldap.bind.password``
+     - `******************`
+     - `******************`
+     - Password for a DN User. Is entered in plain text but gets stored encrypted.
+   * - ``ldap.user.object``
+     - `interorgperson`
+     - `user`
+     - Object type of Users within LDAP.
+   * - ``ldap.email.attribute``
+     - `mail`
+     - `mail`
+     - Email attribute within ldap for a User.
+   * - ``ldap.firstname.attribute``
+     - `givenname`
+     - `givenname`
+     - firstname attribute within ldap for a User.
+   * - ``ldap.lastname.attribute``
+     - `sn`
+     - `sn`
+     - lastname attribute within ldap for a User.
+   * - ``ldap.group.object``
+     - `groupOfUniqueNames`
+     - `groupOfUniqueNames`
+     - Object type of groups within LDAP.
+   * - ``ldap.group.user.uniquemember``
+     - `uniquemember`
+     - `uniquemember`
+     - Attribute for uniquemembers within a group.
+
+   .. note:: ``ldap.search.group.principle`` is required when using ``linkaccounttoldap``.
+
+Once configured, on Add Account page, you will see an "Add LDAP Account" button which opens a dialog and the selected Users can be imported.
 
--  ``ldap.basedn``:	Sets the basedn for LDAP. Ex: **OU=APAC,DC=company,DC=com**
-
--  ``ldap.bind.principal``, ``ldap.bind.password``: DN and password for a User
-   who can list all the Users in the above basedn. Ex:
-   **CN=Administrator, OU=APAC, DC=company, DC=com**
-
--  ``ldap.user.object``: object type of Users within LDAP. Defaults value is
-   **user** for AD and **interorgperson** for openldap.
-
--  ``ldap.email.attribute``: email attribute within ldap for a User. Default
-   value for AD and openldap is **mail**.
+.. figure:: /_static/images/CloudStack-ldap-screen1.png
+   :align:   center
 
--  ``ldap.firstname.attribute``: firstname attribute within ldap for a User.
-   Default value for AD and openldap is **givenname**.
 
--  ``ldap.lastname.attribute``: lastname attribute within ldap for a User.
-   Default value for AD and openldap is **sn**.
+You could also use api commands:
+``listLdapUsers``, to list Users in LDAP that could or would be imported in CloudStack
+``ldapCreateAccount``, to manually create a User in a specific Account
+``importLdapUsers``, to batch import Users from LDAP
 
--  ``ldap.username.attribute``: username attribute for a User within LDAP.
-   Default value is **SAMAccountName** for AD and **uid** for openldap.
+Once LDAP is enabled, the Users will not be allowed to changed password
+directly in CloudStack.
 
 
-Restricting LDAP Users to a group:
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
--  ``ldap.search.group.principle``: this is optional and if set only Users from
-   this group are listed.
 
+   .. note:: this is required when using ``linkaccounttoldap``.
 
 LDAP SSL:
 ~~~~~~~~~
@@ -524,30 +564,6 @@ You will need to know the path to the keystore and the password.
 -  ``ldap.truststore.password`` : truststore password
 
 
-LDAP groups:
-~~~~~~~~~~~~
-
--  ``ldap.group.object``: object type of groups within LDAP. Default value is
-   group for AD and **groupOfUniqueNames** for openldap.
-
--  ``ldap.group.user.uniquemember``: attribute for uniquemembers within a group.
-   Default value is **member** for AD and **uniquemember** for openldap.
-
-Once configured, on Add Account page, you will see an "Add LDAP Account" button
-which opens a dialog and the selected Users can be imported.
-
-.. figure:: /_static/images/CloudStack-ldap-screen1.png
-   :align:   center
-
-
-You could also use api commands:
-``listLdapUsers``, to list Users in LDAP that could or would be imported in CloudStack
-``ldapCreateAccount``, to manually create a User in a specific Account
-``importLdapUsers``, to batch import Users from LDAP
-
-Once LDAP is enabled, the Users will not be allowed to changed password
-directly in CloudStack.
-
 .. |button to dedicate a zone, pod,cluster, or host| image:: /_static/images/dedicate-resource-button.png
 
 Using a SAML 2.0 Identity Provider for User Authentication
@@ -632,7 +648,7 @@ Using OAuth2 Authentication For Users
 
 OAuth2, the industry-standard authorization or authentication framework, simplifies the process of
 granting access to resources. CloudStack supports OAuth2 authentication wherein users can login into
-CloudStack without using username and password. CloudStack currently supports Google and Github providers.
+CloudStack without using username and password. CloudStack currently supports Google and GitHub providers.
 Other OAuth2 providers can be easily integrated with CloudStack using its plugin framework.
 
 For admins, the following are the settings available at global level to configure OAuth2.
@@ -671,21 +687,16 @@ To register the OAuth provider client ID, redirect URI, secret key have to provi
 OAuth 2.0 has to be first configured in the corresponding provider to obtain the client ID, redirect URI, secret Key.
 
 For Google, please follow the instructions mentioned here `"Setting up OAuth 2.0 in Google" <https://support.google.com/cloud/answer/6158849?hl=en>`_.
-For Github, please follow the instructions mentioned here `"Setting up OAuth 2.0 in Github" <https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/creating-an-oauth-app>`_.
+For GitHub, please follow the instructions mentioned here `"Setting up OAuth 2.0 in GitHub" <https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/creating-an-oauth-app>`_.
 
 In any OAuth 2.0 configuration admin has to use the redirect URI "http://<management server IP>:<port>/#/verifyOauth"
 
 .. Note:: [Google OAuth 2.0 redirect URI] :
-          Google OAuth 2.0 configuration wont accept '#' in the URI, please use "http://<management server Domain>:<port>/?verifyOauth"
+          Google OAuth 2.0 configuration won't accept '#' in the URI, please use "http://<management server Domain>:<port>/?verifyOauth"
           Google does not accept direct IP address in the redirect URI, it must be a domain. As a workaround one can add the management
           server IP to host table in the local system and assign a domain, something like "management.cloud". In that redirect URI looks like
           "http://management.cloud:8080/?verifyOauth"
 
-.. image:: /_static/images/oauth-provider-registration.png
-   :width: 400px
-   :align: center
-   :alt: OAuth provider registration
-
 Following are the details needs to be provided to register the OAuth provider, this is to call the API "registerOauthProvider"
 
    -  **Provider**: Name of the provider from the list of OAuth providers supported in CloudStack
@@ -698,6 +709,11 @@ Following are the details needs to be provided to register the OAuth provider, t
 
    -  **Secret Key**: Secret Key pre-registered in the specific OAuth provider
 
+.. image:: /_static/images/oauth-provider-registration.png
+   :width: 400px
+   :align: center
+   :alt: OAuth provider registration
+
 Cloudmonkey API call looks like
 
    -  register oauthprovider provider=google description="Google Provider"
@@ -807,4 +823,153 @@ The admin can also disable 2FA for a User using the action button as shown below
           If the admin themself loses the authenticator application or forgets the static PIN, then the admin
           will have to either use apikey to disable 2FA using the API setupUserTwoFactorAuthentication with
           enable flag to false or to do the database changes in 'user' table by clearing the columns
-          'is_user_2fa_enabled', 'key_for_2fa', 'user_2fa_provider' for the specific entry.
+          'is_user_2fa_enabled', 'key_for_2fa', 'user_2fa_provider' for the specific entry.
+
+Password Recovery for Users (Forgot Password)
+---------------------------------------------
+
+CloudStack supports password recovery using email. To enable this feature,
+set global setting `user.password.reset.enabled` to `true`. The following
+global settings are available to configure SMTP for password recovery.
+
+
+.. list-table:: Password Recovery Global Settings
+   :header-rows: 1
+
+   * - Global setting
+     - Default
+     - Description
+   * - ``user.password.reset.enabled``
+     - `false`
+     - Determines whether password recovery via email is enabled or not.
+   * - ``user.password.reset.ttl``
+     - `30`
+     - TTL in minutes for the token generated to reset the ACS user's password.
+   * - ``user.password.reset.email.sender``
+     - `null`
+     - Sender for emails sent to the user to reset ACS user's password
+   * - ``user.password.reset.smtp.host``
+     - `null`
+     - Host for SMTP server
+   * - ``user.password.reset.smtp.port``
+     - `25`
+     - Port for SMTP server
+   * - ``user.password.reset.smtp.useAuth``
+     - `false`
+     - Use auth in the SMTP server
+   * - ``user.password.reset.smtp.username``
+     - `null`
+     - Username for SMTP server
+   * - ``user.password.reset.smtp.password``
+     - `null`
+     - Password for SMTP Server
+   * - ``user.password.reset.mail.template``
+     - `Hello {{username}}!`
+
+       `You have requested to reset your password. Please click the following link to reset your password:``
+
+       `http://{{{resetLink}}}`
+
+       `If you did not request a password reset, please ignore this email.`
+
+
+       `Regards,`
+
+       `The CloudStack Team`
+     - Template of mail sent to the user to reset ACS user's password. This uses
+       mustache template engine. Available variables are: `username`, 
+       `firstName`, `lastName`, `resetLink`, `token`.
+
+
+Once the global settings are configured, follow the below steps to reset the
+password for a user:
+
+#. Open the "Forgot Password" link on the login page.
+
+   .. figure:: /_static/images/default-login.png
+      :align:   center
+
+#. Enter your username and domain name and click on "Submit".
+
+   .. figure:: /_static/images/forgot-password.png
+      :align:   center
+
+#. An email will be sent to the User with a link to reset the password.
+
+#. Open the link in the email and set the new password.
+
+   .. figure:: /_static/images/reset-password.png
+      :align:   center
+
+Using API Key and Secret Key based Authentication
+-------------------------------------------------
+Users can generate API key and Secret key to directly access CloudStack APIs.
+This authentication method is used for programmatically calling CloudStack APIs and thus helps in automation.
+The API key uniquely identifies the Account, while the Secret key is used to generate a secure signature.
+When making an API call, the API key and signature are included along with the command and other parameters,
+and sent to the CloudStack API endpoint. For detailed information, refer to the CloudStack's Programmer Guide.
+
+Disabling Api Key and Secret Key based Access
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Root Administrators may choose to Disable Api key based access for certain Users, Accounts or Domains.
+Or the Administrator may choose to Disable Api Key based access globally and allow only for certain users.
+This could be particularly useful in cases where external authorization mechanisms like LDAP, SAML or OAuth2 are used,
+as then Api key based authorization is the only means for automation.
+This gives control to the Admin over who is allowed to run automation.
+
+Api key based access is enabled by default but it can be disabled (or enabled) at different granularities:
+
+1. Users
+
+Setting for a User can be changed through the Api Key Access field in the Edit User form, visible only to the Root Administrator.
+Three values are possible: Disable, Enable and Inherit. Inherit means that the User will inherit whatever value is set for the Account.
+
+    .. figure:: /_static/images/edit-user-api-key-access.png
+       :align:  center
+
+Admins can also search for Users having the required Api key access value using the User list view search filter.
+
+    .. figure:: /_static/images/filter-user-api-key-access.png
+       :align:  center
+
+2. Accounts
+
+Similar to Users, Api Key Access field is present in the Edit Account Form and the Account list view search filter, only for the Root Administrator. 
+If the value is set to Inherit, it means that Account will inherit whatever value is set for the Domain.
+
+3. Domains
+
+Api Key Access at Domain level is controlled by the Domain level setting "api.key.access". If the Domain level
+configuration is not set, then similar to other configurations it will consult the global value.
+
+4. Global
+
+The global value of the configuration setting "api.key.access" is set to 'True' by default. So Api Key Access at
+all levels is enabled by default. If the global value is changed to 'False' without setting any of the lower levels,
+then Api Key Access will be disabled for all Users.
+
+Order of Precedence
+^^^^^^^^^^^^^^^^^^^
+The local value always takes precedence over the global value. So if Api key access is disabled for a User but
+enabled for an Account, the User authorisation will still fail. Only if the User's Api key access is set to
+'Inherit', the Account's Api Key Access value is considered.
+Similarly if Account's Api Key Access is set to 'Inherit', only then the Domain level setting is considered,
+And only if the Domain level configuration is not set, the Global configuration is considered.
+
+Examples
+^^^^^^^^
+
+#. Disallow Api key access for all Accounts and Users in a Domain.
+
+    #. Leave all User and Account level Api Key Access values to the default 'Inherit'.
+    #. Set the Domain level setting "api.key.access" to False only for the required domain.
+
+#. Disallow Api key access for some Users, but allowed globally.
+
+    #. Set the User level permission to ‘Disabled’ only for the required Users.
+    #. All upper level permissions should either be Inherit or Enabled.
+
+#. Allow Api key access to some Users, but disallowed globally.
+
+    #. Set User level permission to ‘Enabled’ only for the required Users.
+    #. All upper level permissions should either be Inherit or Disabled.