Skip to content

Backport #10273 to 4.20: Grant access to 2FA APIs for default read-only and support roles #10702

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
DaanHoogland merged 1 commit into from
Apr 16, 2025
Merged

Backport #10273 to 4.20: Grant access to 2FA APIs for default read-only and support roles #10702

DaanHoogland merged 1 commit into from
Apr 16, 2025

Conversation

@bernardodemarco
Copy link
Member

@bernardodemarco bernardodemarco commented Apr 13, 2025
edited
Loading

Description

The PR #10273 granted access to 2FA-related APIs for the following roles: Read-Only User - Default, Support User - Default, Read-Only Admin - Default, and Support Admin - Default. It was targeted at the 4.19 branch and, as such, the corresponding SQL changes were added to the schema-41910to41920.sql file:

cloudstack/engine/schema/src/main/resources/META-INF/db/schema-41910to41920.sql

Lines 25 to 45 in d32065f

-- Grant access to 2FA APIs for the "Read-Only User - Default" role
CALL `cloud`.`IDEMPOTENT_UPDATE_API_PERMISSION`('Read-Only User - Default', 'setupUserTwoFactorAuthentication', 'ALLOW');
CALL `cloud`.`IDEMPOTENT_UPDATE_API_PERMISSION`('Read-Only User - Default', 'validateUserTwoFactorAuthenticationCode', 'ALLOW');
CALL `cloud`.`IDEMPOTENT_UPDATE_API_PERMISSION`('Read-Only User - Default', 'listUserTwoFactorAuthenticatorProviders', 'ALLOW');
-- Grant access to 2FA APIs for the "Support User - Default" role
CALL `cloud`.`IDEMPOTENT_UPDATE_API_PERMISSION`('Support User - Default', 'setupUserTwoFactorAuthentication', 'ALLOW');
CALL `cloud`.`IDEMPOTENT_UPDATE_API_PERMISSION`('Support User - Default', 'validateUserTwoFactorAuthenticationCode', 'ALLOW');
CALL `cloud`.`IDEMPOTENT_UPDATE_API_PERMISSION`('Support User - Default', 'listUserTwoFactorAuthenticatorProviders', 'ALLOW');
-- Grant access to 2FA APIs for the "Read-Only Admin - Default" role
CALL `cloud`.`IDEMPOTENT_UPDATE_API_PERMISSION`('Read-Only Admin - Default', 'setupUserTwoFactorAuthentication', 'ALLOW');
CALL `cloud`.`IDEMPOTENT_UPDATE_API_PERMISSION`('Read-Only Admin - Default', 'validateUserTwoFactorAuthenticationCode', 'ALLOW');
-- Grant access to 2FA APIs for the "Support Admin - Default" role
CALL `cloud`.`IDEMPOTENT_UPDATE_API_PERMISSION`('Support Admin - Default', 'setupUserTwoFactorAuthentication', 'ALLOW');
CALL `cloud`.`IDEMPOTENT_UPDATE_API_PERMISSION`('Support Admin - Default', 'validateUserTwoFactorAuthenticationCode', 'ALLOW');

When the patch was merged (January 30, 2025), version 4.20.0.0 had already been released (December 2, 2024). Therefore, it's necessary to backport the #10273 changes to the 4.20 branch and include the SQL updates in the schema-42000to42010.sql database upgrade file.

Thus, this ensures that environments currently running version 4.20.0.0 will receive the changes when upgrading to a next release (i.e., 4.20.1).

Types of changes

  • Breaking change (fix or feature that would cause existing functionality to change)
  • New feature (non-breaking change which adds functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • Enhancement (improves an existing feature and functionality)
  • Cleanup (Code refactoring and cleanup, that may add test cases)
  • build/CI
  • test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

  • Major
  • Minor

Bug Severity

  • BLOCKER
  • Critical
  • Major
  • Minor
  • Trivial

Screenshots (if appropriate):

How Has This Been Tested?

@bernardodemarco bernardodemarco added this to the 4.20.1 milestone Apr 13, 2025
@bernardodemarco
Copy link
Member Author

bernardodemarco commented Apr 13, 2025

@blueorangutan package

@blueorangutan
Copy link

blueorangutan commented Apr 13, 2025

@bernardodemarco a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

@codecov
Copy link

codecov bot commented Apr 13, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 16.01%. Comparing base (d1df418) to head (3ef1f72).
Report is 8 commits behind head on 4.20.

Additional details and impacted files 
@@             Coverage Diff              @@
##               4.20   #10702      +/-   ##
============================================
- Coverage     16.01%   16.01%   -0.01%     
  Complexity    13112    13112              
============================================
  Files          5652     5652              
  Lines        495840   495840              
  Branches      60045    60045              
============================================
- Hits          79414    79410       -4     
- Misses       407566   407568       +2     
- Partials       8860     8862       +2
Flag Coverage Δ
uitests 4.00% <ø> (ø)
unittests 16.85% <ø> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@blueorangutan
Copy link

blueorangutan commented Apr 13, 2025

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 13032

DaanHoogland
DaanHoogland approved these changes Apr 14, 2025
View reviewed changes
Copy link
Contributor

@DaanHoogland DaanHoogland left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we need to see if a potential 4.19.3 will also suffer such issues.

weizhouapache
weizhouapache approved these changes Apr 14, 2025
View reviewed changes
Copy link
Member

@weizhouapache weizhouapache left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

code lgtm

@bernardodemarco
Copy link
Member Author

bernardodemarco commented Apr 14, 2025

we need to see if a potential 4.19.3 will also suffer such issues.

I don't think it will. Since the SQL queries are included in the schema-41910to41920.sql upgrade file (original PR), all environments upgrading to 4.19.3 will already contain those changes.

Also, when such environments get upgraded to a version greater than 4.20.0.0, those queries will be executed again. However, since the procedure is idempotent, they will not have any real effect.

@DaanHoogland
Copy link
Contributor

DaanHoogland commented Apr 14, 2025

@blueorangutan test

@blueorangutan
Copy link

blueorangutan commented Apr 14, 2025

@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

@blueorangutan
Copy link

blueorangutan commented Apr 15, 2025

[SF] Trillian test result (tid-12984)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 56445 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10702-t12984-kvm-ol8.zip
Smoke tests completed. 140 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test Result Time (s) Test File
test_01_vpc_site2site_vpn Failure 331.91 test_vpc_vpn.py

@blueorangutan
Copy link

blueorangutan commented Apr 16, 2025

[SF] Trillian test result (tid-12991)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 52456 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10702-t12991-kvm-ol8.zip
Smoke tests completed. 141 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test Result Time (s) Test File

@DaanHoogland
Copy link
Contributor

DaanHoogland commented Apr 16, 2025

merging this , trusting it has been tested functionaly (see #10273 (review))

@DaanHoogland DaanHoogland merged commit 40d549b into apache:4.20 Apr 16, 2025
25 checks passed
dhslove pushed a commit to ablecloud-team/ablestack-cloud that referenced this pull request Jun 19, 2025
@bernardodemarco @dhslove
backport 10273 (apache#10702)
29b3802
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DaanHoogland DaanHoogland DaanHoogland approved these changes

@JoaoJandre JoaoJandre JoaoJandre approved these changes

@weizhouapache weizhouapache weizhouapache approved these changes

@harikrishna-patnala harikrishna-patnala Awaiting requested review from harikrishna-patnala

@Pearl1594 Pearl1594 Awaiting requested review from Pearl1594

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

4.20.1

Development

Successfully merging this pull request may close these issues.

5 participants

@bernardodemarco @blueorangutan @DaanHoogland @JoaoJandre @weizhouapache