Allow admins to disable the 2FA of users in subdomains#7870
Conversation
Codecov Report
@@ Coverage Diff @@
## 4.18 #7870 +/- ##
============================================
- Coverage 13.02% 13.02% -0.01%
+ Complexity 9040 9039 -1
============================================
Files 2720 2720
Lines 257094 257092 -2
Branches 40092 40091 -1
============================================
- Hits 33491 33489 -2
- Misses 219398 219400 +2
+ Partials 4205 4203 -2
... and 1 file with indirect coverage changes 📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
|
In addition to @harikrishna-patnala 's comment, I wonder if scenario 11 is really what we want? |
good point @DaanHoogland @winterhazel can you test if |
You can force users to use 2FA by enabling the global setting However, I think we can reconsider the behavior of this API to not allow users to disable their 2FA in the first place when this setting is enabled and return a message saying that 2FA is mandatory, since users may think the current behavior is a bug. |
I would say we can still allow disabling the 2FA just in case user wants to reset the 2FA settings to use other provider. To provide more visibility to the user we can pop up a warning message when user tries to disable 2FA saying something like "2FA needs to setup again since it is mandated by the admin" |
This makes sense @harikrishna-patnala , but would not have to be included in this PR. It seems like a separate improvement. cc @weizhouapache @winterhazel ?? |
agree with @DaanHoogland |
|
@blueorangutan package |
|
@weizhouapache a [SF] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress. |
|
Packaging result [SF]: ✔️ el7 ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 6826 |
|
@blueorangutan test |
|
@weizhouapache a [SF] Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests |
This is a valid reason to allow users to disable their 2FA. I think @harikrishna-patnala's suggestion of providing more information to the user is great. We can handle it in a separate PR, though. |
|
[SF] Trillian test result (tid-7478)
|
|
tested ok |
Description
Admins should be able to disable the 2FA of users that lost their second factor; however, the
setupUserTwoFactorAuthenticationAPI only allows them to disable the 2FA of users in the same domain. This means that, if the root admin wants to disable the 2FA of a user in ROOT/test, he must create a domain admin account in ROOT/test and log into that account to do this.This PR addresses this issue by allowing admins to disable the 2FA of users in their subdomains.
Types of changes
Feature/Enhancement Scale or Bug Severity
Feature/Enhancement Scale
Bug Severity
Screenshots (if appropriate):
How Has This Been Tested?
I did the following tests in a local lab: