Skip to content

Backport #10273 to 4.20: Grant access to 2FA APIs for default read-only and support roles#10702

Merged
DaanHoogland merged 1 commit intoapache:4.20from
bernardodemarco:backport-10273
Apr 16, 2025
Merged

Backport #10273 to 4.20: Grant access to 2FA APIs for default read-only and support roles#10702
DaanHoogland merged 1 commit intoapache:4.20from
bernardodemarco:backport-10273

Conversation

@bernardodemarco
Copy link
Copy Markdown
Member

@bernardodemarco bernardodemarco commented Apr 13, 2025
edited
Loading

Description

The PR #10273 granted access to 2FA-related APIs for the following roles: Read-Only User - Default, Support User - Default, Read-Only Admin - Default, and Support Admin - Default. It was targeted at the 4.19 branch and, as such, the corresponding SQL changes were added to the schema-41910to41920.sql file:

cloudstack/engine/schema/src/main/resources/META-INF/db/schema-41910to41920.sql

Lines 25 to 45 in d32065f

-- Grant access to 2FA APIs for the "Read-Only User - Default" role
CALL `cloud`.`IDEMPOTENT_UPDATE_API_PERMISSION`('Read-Only User - Default', 'setupUserTwoFactorAuthentication', 'ALLOW');
CALL `cloud`.`IDEMPOTENT_UPDATE_API_PERMISSION`('Read-Only User - Default', 'validateUserTwoFactorAuthenticationCode', 'ALLOW');
CALL `cloud`.`IDEMPOTENT_UPDATE_API_PERMISSION`('Read-Only User - Default', 'listUserTwoFactorAuthenticatorProviders', 'ALLOW');
-- Grant access to 2FA APIs for the "Support User - Default" role
CALL `cloud`.`IDEMPOTENT_UPDATE_API_PERMISSION`('Support User - Default', 'setupUserTwoFactorAuthentication', 'ALLOW');
CALL `cloud`.`IDEMPOTENT_UPDATE_API_PERMISSION`('Support User - Default', 'validateUserTwoFactorAuthenticationCode', 'ALLOW');
CALL `cloud`.`IDEMPOTENT_UPDATE_API_PERMISSION`('Support User - Default', 'listUserTwoFactorAuthenticatorProviders', 'ALLOW');
-- Grant access to 2FA APIs for the "Read-Only Admin - Default" role
CALL `cloud`.`IDEMPOTENT_UPDATE_API_PERMISSION`('Read-Only Admin - Default', 'setupUserTwoFactorAuthentication', 'ALLOW');
CALL `cloud`.`IDEMPOTENT_UPDATE_API_PERMISSION`('Read-Only Admin - Default', 'validateUserTwoFactorAuthenticationCode', 'ALLOW');
-- Grant access to 2FA APIs for the "Support Admin - Default" role
CALL `cloud`.`IDEMPOTENT_UPDATE_API_PERMISSION`('Support Admin - Default', 'setupUserTwoFactorAuthentication', 'ALLOW');
CALL `cloud`.`IDEMPOTENT_UPDATE_API_PERMISSION`('Support Admin - Default', 'validateUserTwoFactorAuthenticationCode', 'ALLOW');

When the patch was merged (January 30, 2025), version 4.20.0.0 had already been released (December 2, 2024). Therefore, it's necessary to backport the #10273 changes to the 4.20 branch and include the SQL updates in the schema-42000to42010.sql database upgrade file.

Thus, this ensures that environments currently running version 4.20.0.0 will receive the changes when upgrading to a next release (i.e., 4.20.1).

Types of changes

  • Breaking change (fix or feature that would cause existing functionality to change)
  • New feature (non-breaking change which adds functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • Enhancement (improves an existing feature and functionality)
  • Cleanup (Code refactoring and cleanup, that may add test cases)
  • build/CI
  • test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

  • Major
  • Minor

Bug Severity

  • BLOCKER
  • Critical
  • Major
  • Minor
  • Trivial

Screenshots (if appropriate):

How Has This Been Tested?

@bernardodemarco bernardodemarco added this to the 4.20.1 milestone Apr 13, 2025
@bernardodemarco
Copy link
Copy Markdown
Member Author

bernardodemarco commented Apr 13, 2025

@blueorangutan package

@blueorangutan
Copy link
Copy Markdown

blueorangutan commented Apr 13, 2025

@bernardodemarco a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

@codecov
Copy link
Copy Markdown

codecov bot commented Apr 13, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 16.01%. Comparing base (d1df418) to head (3ef1f72).
Report is 8 commits behind head on 4.20.

Additional details and impacted files 
@@             Coverage Diff              @@
##               4.20   #10702      +/-   ##
============================================
- Coverage     16.01%   16.01%   -0.01%     
  Complexity    13112    13112              
============================================
  Files          5652     5652              
  Lines        495840   495840              
  Branches      60045    60045              
============================================
- Hits          79414    79410       -4     
- Misses       407566   407568       +2     
- Partials       8860     8862       +2
Flag Coverage Δ
uitests 4.00% <ø> (ø)
unittests 16.85% <ø> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@blueorangutan
Copy link
Copy Markdown

blueorangutan commented Apr 13, 2025

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 13032

DaanHoogland
DaanHoogland approved these changes Apr 14, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@DaanHoogland DaanHoogland left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we need to see if a potential 4.19.3 will also suffer such issues.

weizhouapache
weizhouapache approved these changes Apr 14, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@weizhouapache weizhouapache left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

code lgtm

@bernardodemarco
Copy link
Copy Markdown
Member Author

bernardodemarco commented Apr 14, 2025

we need to see if a potential 4.19.3 will also suffer such issues.

I don't think it will. Since the SQL queries are included in the schema-41910to41920.sql upgrade file (original PR), all environments upgrading to 4.19.3 will already contain those changes.

Also, when such environments get upgraded to a version greater than 4.20.0.0, those queries will be executed again. However, since the procedure is idempotent, they will not have any real effect.

@DaanHoogland
Copy link
Copy Markdown
Contributor

DaanHoogland commented Apr 14, 2025

@blueorangutan test

@blueorangutan
Copy link
Copy Markdown

blueorangutan commented Apr 14, 2025

@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

@blueorangutan
Copy link
Copy Markdown

blueorangutan commented Apr 15, 2025

[SF] Trillian test result (tid-12984)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 56445 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10702-t12984-kvm-ol8.zip
Smoke tests completed. 140 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test Result Time (s) Test File
test_01_vpc_site2site_vpn Failure 331.91 test_vpc_vpn.py

@blueorangutan
Copy link
Copy Markdown

blueorangutan commented Apr 16, 2025

[SF] Trillian test result (tid-12991)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 52456 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10702-t12991-kvm-ol8.zip
Smoke tests completed. 141 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test Result Time (s) Test File

@DaanHoogland
Copy link
Copy Markdown
Contributor

DaanHoogland commented Apr 16, 2025

merging this , trusting it has been tested functionaly (see #10273 (review))

@DaanHoogland DaanHoogland merged commit 40d549b into apache:4.20 Apr 16, 2025
25 checks passed
dhslove pushed a commit to ablecloud-team/ablestack-cloud that referenced this pull request Jun 19, 2025
@bernardodemarco @dhslove
backport 10273 (apache#10702)
29b3802
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DaanHoogland DaanHoogland DaanHoogland approved these changes

@JoaoJandre JoaoJandre JoaoJandre approved these changes

@weizhouapache weizhouapache weizhouapache approved these changes

@harikrishna-patnala harikrishna-patnala Awaiting requested review from harikrishna-patnala

@Pearl1594 Pearl1594 Awaiting requested review from Pearl1594

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

4.20.1

Development

Successfully merging this pull request may close these issues.

5 participants

@bernardodemarco @blueorangutan @DaanHoogland @JoaoJandre @weizhouapache