access: prevent login with username-password when command-line credentials given by shwstppr · Pull Request #174 · apache/cloudstack-cloudmonkey

shwstppr · 2025-08-07T03:02:59Z

Fixes #168

Prevents falling back to username-password login when credentials are passed as command-line argument and authentication fails.

⇒  bin/cmk -d -s anc -k bnm listzones id=b37b6f25-3c68-4fd1-8945-ed1852ca7e64                   
[debug] UpdateConfig key:apikey value:bnm update:false
[debug] UpdateConfig key:secretkey value:anc update:false
[debug] Trying to read API cache from:/home/shwstppr/.cmk/profiles/lab.cache
[debug] cmdline args:bin/cmk, -d, -s, anc, -k, bnm, listzones, id=b37b6f25-3c68-4fd1-8945-ed1852ca7e64
[debug] ExecCmd args: listzones, id=b37b6f25-3c68-4fd1-8945-ed1852ca7e64
[debug] NewAPIRequest API request URL:http://10.1.34.104:8080/client/api?apiKey=bnm&command=listZones&expires=2025-08-13T10%3A24%3A03Z&id=b37b6f25-3c68-4fd1-8945-ed1852ca7e64&response=json&signatureversion=3
[debug] NewAPIRequest response status code:401
[debug] Credentials supplied on command-line, not falling back to login
[debug] NewAPIRequest response body:{"listzonesresponse":{"uuidList":[],"errorcode":401,"errortext":"unable to verify user credentials and/or request signature"}}
🙈 Error: (HTTP 401, error code <nil>) unable to verify user credentials and/or request signature

When using cmk shell, fallback will work as before,

⇒  make run                                                                                      fix-wrongkeys-access| 
▶  Running gofmt…
▶  Building executable… ec3d185
▶  Done!
./bin/cmk
Apache CloudStack 🐵 CloudMonkey 6.4.0
Report issues: https://github.com/apache/cloudstack-cloudmonkey/issues

(lab) 🐱 > set apikey abc
(lab) 🐱 > set secretkey xyz
(lab) 🐱 > set debug true
[debug] UpdateConfig key:debug value:true update:true
[debug] Trying to read API cache from:/home/shwstppr/.cmk/profiles/lab.cache
(lab) 🐱 > listZones
[debug] ExecLine line:listZones
[debug] ExecCmd args: listZones
[debug] NewAPIRequest API request URL:http://10.1.34.104:8080/client/api?apiKey=abc&command=listZones&expires=2025-08-13T10%3A25%3A21Z&response=json&signatureversion=3
[debug] NewAPIRequest response status code:401
[debug] Login POST URL:http://10.1.34.104:8080/client/apimap[command:[login] domain:[] password:[password] response:[json] username:[admin]]
[debug] Login POST response status code:200
[debug] Login response body:{"loginresponse":{"username":"admin","userid":"74d47f65-775b-11f0-8165-1e00b8000b26","domainid":"23aedd87-775b-11f0-8165-1e00b8000b26","timeout":1800,"account":"admin","firstname":"admin","lastname":"cloud","type":"1","timezone":"UTC","timezoneoffset":"0.0","registered":"false","sessionkey":"rEAzq-E0b2YkARTO423lX0rxH2k","is2faenabled":"false","is2faverified":"true","issuerfor2fa":"CloudStack"}}
[debug] Login sessionkey:rEAzq-E0b2YkARTO423lX0rxH2k
[debug] Checking if 2FA is enabled and verified for the user map[account:admin domainid:23aedd87-775b-11f0-8165-1e00b8000b26 firstname:admin is2faenabled:false is2faverified:true issuerfor2fa:CloudStack lastname:cloud registered:false sessionkey:rEAzq-E0b2YkARTO423lX0rxH2k timeout:1800 timezone:UTC timezoneoffset:0.0 type:1 userid:74d47f65-775b-11f0-8165-1e00b8000b26 username:admin]
[debug] 2FA is not enabled for the user, skipping 2FA validation
[debug] NewAPIRequest API request URL:http://10.1.34.104:8080/client/api?apiKey=abc&command=listZones&expires=2025-08-13T10%3A25%3A21Z&response=json&sessionkey=rEAzq-E0b2YkARTO423lX0rxH2k&signature=fFYoHcaaDtrv93FPX7hjiRwia4E%3D&signatureversion=3
[debug] NewAPIRequest response body:{"listzonesresponse":{"count":1,"zone":[{"id":"b37b6f25-3c68-4fd1-8945-ed1852ca7e64","name":"ref-trl-5997-k-Mr9-abhishek-kumar","dns1":"10.1.32.1","dns2":"8.8.8.8","internaldns1":"10.1.32.1","internaldns2":"8.8.4.4","guestcidraddress":"10.1.1.0/24","networktype":"Advanced","securitygroupsenabled":false,"allocationstate":"Enabled","zonetoken":"c759dd00-13f1-3a2d-897f-c2f917a23e39","dhcpprovider":"VirtualRouter","localstorageenabled":false,"tags":[],"allowuserspecifyvrmtu":false,"routerprivateinterfacemaxmtu":1500,"routerpublicinterfacemaxmtu":1500,"type":"Core","isnsxenabled":false,"ismultiarch":false,"asnrange":"","routedmodeenabled":true,"hasannotations":false}]}}
{
  "count": 1,
  "zone": [
    {
      "allocationstate": "Enabled",
      "allowuserspecifyvrmtu": false,
      "asnrange": "",
      "dhcpprovider": "VirtualRouter",
      "dns1": "10.1.32.1",
      "dns2": "8.8.8.8",
      "guestcidraddress": "10.1.1.0/24",
      "hasannotations": false,
      "id": "b37b6f25-3c68-4fd1-8945-ed1852ca7e64",
      "internaldns1": "10.1.32.1",
      "internaldns2": "8.8.4.4",
      "ismultiarch": false,
      "isnsxenabled": false,
      "localstorageenabled": false,
      "name": "ref-trl-5997-k-Mr9-abhishek-kumar",
      "networktype": "Advanced",
      "routedmodeenabled": true,
      "routerprivateinterfacemaxmtu": 1500,
      "routerpublicinterfacemaxmtu": 1500,
      "securitygroupsenabled": false,
      "tags": [],
      "type": "Core",
      "zonetoken": "c759dd00-13f1-3a2d-897f-c2f917a23e39"
    }
  ]
}

weizhouapache · 2025-08-07T07:50:10Z

@shwstppr
if in .cmk/config, the apikey and secretkey are wrong, but username and password are correct , will it work ?

shwstppr · 2025-08-07T11:07:34Z

@weizhouapache no. I think that is the issue @ingox was mentioning.
Currently, you can set username/password for the admin and apikey/secretkey for any user. If the API call fails with keys, it logs in with username/pass, which could be problematic for the use case Ingo was referring.

weizhouapache · 2025-08-07T14:17:19Z

@weizhouapache no. I think that is the issue @ingox was mentioning.

Yes, it is the issue that @ingox reported. It seems like @DaanHoogland and @ingox have agreed it is a bash issue.

Currently, you can set username/password for the admin and apikey/secretkey for any user. If the API call fails with keys, it logs in with username/pass, which could be problematic for the use case Ingo was referring.

my understanding is a bit different.
if users use -s or -k or "set apikey" or "set secretkey" , do not load any profiles in config file, or clean existing profile.
Otherwise, load the profile in config file. if apikey/secretkey are wrong in config file, then use username and password instead.

shwstppr · 2025-08-08T09:44:01Z

Thanks @weizhouapache. I don't have a strong opinion either way, so I'm happy to close this if we have agreement, it should work as it is.

github-actions · 2025-08-08T10:08:14Z

✅ Build complete for PR #174.

🔗 Download the cmk binaries (expires on August 23, 2025)

DaanHoogland · 2025-08-12T09:36:13Z

@shwstppr work kind of like expected. I have one functional concern though:

(randy) 🐱 > sync
Discovered 877 APIs
(randy) 🐱 > set apikey 
(randy) 🐱 > sync
Discovered 877 APIs
(randy) 🐱 > set apikey plplpl
(randy) 🐱 > sync
Discovered 877 APIs
(randy) 🐱 > set secretkey plplpl
(randy) 🐱 > sync
🙈 Error: (HTTP 401, error code <nil>) unable to verify user credentials and/or request signature
(randy) 🐱 > set secretkey
(randy) 🐱 > sync
Discovered 877 APIs

as you can see above, setting only a “wrong” APIkey does not stop me from logging in. Is that what we want? I think this does not address all of @ingox concern. In this way we can still fool ourselfves.

~/Downloads/cmk-binaries.pr174/cmk.darwin.arm64 -p randy -k plpl
Apache CloudStack 🐵 CloudMonkey 6.4.0
Report issues: https://github.com/apache/cloudstack-cloudmonkey/issues

(randy) 🐱 > sync
Discovered 877 APIs
(randy) 🐱 > exit
~/Downloads/cmk-binaries.pr174/cmk.darwin.arm64 -p randy -k <good key>
Apache CloudStack 🐵 CloudMonkey 6.4.0
Report issues: https://github.com/apache/cloudstack-cloudmonkey/issues

(randy) 🐱 > sync
Discovered 877 APIs
(randy) 🐱 > exit
~/Downloads/cmk-binaries.pr174/cmk.darwin.arm64 -p randy -k <good key> -s <good key>
Apache CloudStack 🐵 CloudMonkey 6.4.0
Report issues: https://github.com/apache/cloudstack-cloudmonkey/issues

(randy) 🐱 > sync
Discovered 877 APIs
(randy) 🐱 > exit
~/Downloads/cmk-binaries.pr174/cmk.darwin.arm64 -p randy -k <good key> -s <bad key>
Apache CloudStack 🐵 CloudMonkey 6.4.0
Report issues: https://github.com/apache/cloudstack-cloudmonkey/issues

(randy) 🐱 > sync
Discovered 877 APIs

when not using a profile as the basis it works as expected btw:

~/Downloads/cmk-binaries.pr174/cmk.darwin.arm64 -k <good key> -s <good key> -u http://10.0.34.242:8080/client/api
Apache CloudStack 🐵 CloudMonkey 6.4.0
Report issues: https://github.com/apache/cloudstack-cloudmonkey/issues

(randy) 🐱 > sync
Discovered 877 APIs
(randy) 🐱 > exit
~/Downloads/cmk-binaries.pr174/cmk.darwin.arm64 -k <good key> -s <bad key> -u http://10.0.34.242:8080/client/api
Apache CloudStack 🐵 CloudMonkey 6.4.0
Report issues: https://github.com/apache/cloudstack-cloudmonkey/issues

(randy) 🐱 > sync
🙈 Error: (HTTP 401, error code <nil>) unable to verify user credentials and/or request signature

What do you think about my comment here ? In short, I would expect any configured credentials to be ignored once the CLI contains any credentials.

shwstppr · 2025-08-12T10:00:13Z

@DaanHoogland I think this needs a bit more discussion. I agree that if valid credentials are available, any invalid ones should be ignored. However, the use case @ingox raised is also valid.

One option is to add a config flag—say, allowfallback—to toggle this behaviour. Alternatively, to keep cmk simple, we could avoid a new setting and address Ingo’s scenario with a few preparatory steps before setting keys (e.g., clear stale credentials, explicitly select the target profile, and validate with a quick API call).
cmk set profile user
cmk set username <USER_ACCOUNT_NAME>
cmk -s -k

I'm converting this to draft for now

DaanHoogland · 2025-08-12T11:27:57Z

@ingox can you read #174 (comment) and #174 (comment) and give your opinion, please?

…tials given Fixes apache#168 Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

shwstppr · 2025-08-13T10:14:22Z

@ingox @DaanHoogland @weizhouapache can you please check now

(PR description updated)

DaanHoogland · 2025-08-14T12:47:56Z

✅ Build complete for PR #174.

🔗 Download the cmk binaries (expires on August 23, 2025)

@ingox can you download these files and do a test with the version for your platform, please?

DaanHoogland

clgtm

ingox · 2025-08-14T14:58:20Z

Hello all,
here are my test results using CloudMonkey 6.4.0 (build: ec3d185, 2025-08-13T10:07:02+0000)
./cmk.linux.x86-64 -k right -s right #once loged in: list users --> I'm a user
./cmk.linux.x86-64 -k wrong -s wrong #once loged in: list users --> I'm admin
./cmk.linux.x86-64 -k right -s right list users --> I'm a user
./cmk.linux.x86-64 -k wrong -s wrong list users --> Error: (HTTP 401, error code ) unable to verify user credentials and/or request signature

So there is a different behavior between passing the command directly or logging into cmk and run the command from there.

shwstppr · 2025-08-18T04:35:16Z

@ingox my understanding was we agreed to this behaviour #168 (comment)
In cmk shell, we are trying both means of authentication because we are relying on the profile

DaanHoogland · 2025-08-18T08:23:04Z

@ingox @shwstppr , independent of the answer, I think this is an improvement as is and we can merge. We can discuss the extra scenario independently , or is there some design impediment in this code for further blocking when in the shell?

kiranchavala

LGTM verified manually

Before fix

cmk -d -s B5iRTjItgNnOAyK5QAIsdyNQLY6n2X_Q702mRMe1nQuu3JRS3faltqtHFIbvZZxomssmqtAawEcunJ2g39tmyw -k -MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3Hg list users filter=account,username
[debug] UpdateConfig key:apikey value:-MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3Hg update:false
[debug] UpdateConfig key:secretkey value:B5iRTjItgNnOAyK5QAIsdyNQLY6n2X_Q702mRMe1nQuu3JRS3faltqtHFIbvZZxomssmqtAawEcunJ2g39tmyw update:false
[debug] Trying to read API cache from:/Users/kiranchavala/.cmk/profiles/admin.cache
[debug] cmdline args:cmk, -d, -s, B5iRTjItgNnOAyK5QAIsdyNQLY6n2X_Q702mRMe1nQuu3JRS3faltqtHFIbvZZxomssmqtAawEcunJ2g39tmyw, -k, -MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3Hg, list, users, filter=account,username
[debug] ExecCmd args: list, users, filter=account,username
[debug] NewAPIRequest API request URL:http://10.0.35.15:8080/client/api?apiKey=-MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3Hg&command=listUsers&expires=2025-08-18T10%3A22%3A05Z&filter=account%2Cusername&response=json&signatureversion=3
[debug] NewAPIRequest response status code:200
[debug] NewAPIRequest response body:{"listusersresponse":{"count":1,"user":[{"id":"d15245cc-60fd-4144-b98d-8730d9be6900","username":"user","firstname":"ACloudStack","lastname":"User","email":"sblab@shapeblue.com","created":"2025-08-12T04:22:09+0000","state":"enabled","account":"ACSUser","accounttype":0,"usersource":"native","roleid":"1c12c75a-7731-11f0-9a5b-1e00900003a2","roletype":"User","rolename":"User","domainid":"f8f8593c-7730-11f0-9a5b-1e00900003a2","domain":"ROOT","timezone":"Etc/UTC","apikey":"-MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3Hg","accountid":"8a54a7ab-001c-4896-a3b8-e62754b96d64","iscallerchilddomain":false,"isdefault":false,"is2faenabled":false,"is2famandated":false}]}}
{
  "count": 1,
  "user": [
    {
      "account": "ACSUser",
      "username": "user"
    }
  ]
}


cmk -d -s B5iRTjItgNnOAyK5QAIsdyNQLY6n2X_Q702mRMe1nQuu3JRS3faltqtHFIbvZZxomssmqtAawEcunJ2g39tmyw -k -MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3H list users filter=account,username
[debug] UpdateConfig key:apikey value:-MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3H update:false
[debug] UpdateConfig key:secretkey value:B5iRTjItgNnOAyK5QAIsdyNQLY6n2X_Q702mRMe1nQuu3JRS3faltqtHFIbvZZxomssmqtAawEcunJ2g39tmyw update:false
[debug] Trying to read API cache from:/Users/kiranchavala/.cmk/profiles/admin.cache
[debug] cmdline args:cmk, -d, -s, B5iRTjItgNnOAyK5QAIsdyNQLY6n2X_Q702mRMe1nQuu3JRS3faltqtHFIbvZZxomssmqtAawEcunJ2g39tmyw, -k, -MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3H, list, users, filter=account,username
[debug] ExecCmd args: list, users, filter=account,username
[debug] NewAPIRequest API request URL:http://10.0.35.15:8080/client/api?apiKey=-MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3H&command=listUsers&expires=2025-08-18T10%3A22%3A20Z&filter=account%2Cusername&response=json&signatureversion=3
[debug] NewAPIRequest response status code:401
[debug] Login POST URL:http://10.0.35.15:8080/client/apimap[command:[login] domain:[/] password:[password] response:[json] username:[admin]]
[debug] Login POST response status code:200
[debug] Login sessionkey:ZdHDdfq5-ej3KQDFsNr-BGfIbIc
[debug] NewAPIRequest API request URL:http://10.0.35.15:8080/client/api?apiKey=-MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3H&command=listUsers&expires=2025-08-18T10%3A22%3A20Z&filter=account%2Cusername&response=json&sessionkey=ZdHDdfq5-ej3KQDFsNr-BGfIbIc&signature=k7uHmJKogVnHRTRj9uiccr5MAtM%3D&signatureversion=3
[debug] NewAPIRequest response body:{"listusersresponse":{"count":2,"user":[{"id":"41b07ac1-7731-11f0-9a5b-1e00900003a2","username":"admin","firstname":"admin","lastname":"cloud","created":"2025-08-12T04:03:08+0000","state":"enabled","account":"admin","accounttype":1,"usersource":"native","roleid":"1c126e6f-7731-11f0-9a5b-1e00900003a2","roletype":"Admin","rolename":"Root Admin","domainid":"f8f8593c-7730-11f0-9a5b-1e00900003a2","domain":"ROOT","apikey":"LIN6rqXuaJwMPfGYFh13qDwYz5VNNz1J2J6qIOWcd3oLQOq0WtD4CwRundBL6rzXToa3lQOC_vKjI3nkHtiD8Q","accountid":"41afc720-7731-11f0-9a5b-1e00900003a2","iscallerchilddomain":false,"isdefault":true,"is2faenabled":false,"is2famandated":false,"apikeyaccess":"INHERIT"},{"id":"d02cbd60-73aa-4298-a088-11e1ddf5a0dc","username":"admin-kubeadmin","firstname":"admin","lastname":"kubeadmin","email":"kubeadmin","created":"2025-08-13T07:49:48+0000","state":"enabled","account":"admin","accounttype":1,"usersource":"native","roleid":"1c126e6f-7731-11f0-9a5b-1e00900003a2","roletype":"Admin","rolename":"Root Admin","domainid":"f8f8593c-7730-11f0-9a5b-1e00900003a2","domain":"ROOT","apikey":"Yx4kYMSdNcJYrCdKFQfPTTYyJzJkHXqS5oWCX6IK1x-G31VBvfSKTFMQXz7UFbi4c3WerSEYF9B44Jpp2tvxdA","accountid":"41afc720-7731-11f0-9a5b-1e00900003a2","iscallerchilddomain":false,"isdefault":false,"is2faenabled":false,"is2famandated":false,"apikeyaccess":"INHERIT"}]}}
{
  "count": 2,
  "user": [
    {
      "account": "admin",
      "username": "admin"
    },
    {
      "account": "admin",
      "username": "admin-kubeadmin"
    }
  ]
}

After fix


bin/cmk -d -s B5iRTjItgNnOAyK5QAIsdyNQLY6n2X_Q702mRMe1nQuu3JRS3faltqtHFIbvZZxomssmqtAawEcunJ2g39tmyw -k -MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3Hg list users filter=account,username
[debug] UpdateConfig key:apikey value:-MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3Hg update:false
[debug] UpdateConfig key:secretkey value:B5iRTjItgNnOAyK5QAIsdyNQLY6n2X_Q702mRMe1nQuu3JRS3faltqtHFIbvZZxomssmqtAawEcunJ2g39tmyw update:false
[debug] Trying to read API cache from:/Users/kiranchavala/.cmk/profiles/admin.cache
[debug] cmdline args:bin/cmk, -d, -s, B5iRTjItgNnOAyK5QAIsdyNQLY6n2X_Q702mRMe1nQuu3JRS3faltqtHFIbvZZxomssmqtAawEcunJ2g39tmyw, -k, -MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3Hg, list, users, filter=account,username
[debug] ExecCmd args: list, users, filter=account,username
[debug] NewAPIRequest API request URL:http://10.0.35.15:8080/client/api?apiKey=-MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3Hg&command=listUsers&expires=2025-08-18T10%3A20%3A46Z&filter=account%2Cusername&response=json&signatureversion=3
[debug] NewAPIRequest response status code:200
[debug] Credentials supplied on command-line, not falling back to login
[debug] NewAPIRequest response body:{"listusersresponse":{"count":1,"user":[{"id":"d15245cc-60fd-4144-b98d-8730d9be6900","username":"user","firstname":"ACloudStack","lastname":"User","email":"sblab@shapeblue.com","created":"2025-08-12T04:22:09+0000","state":"enabled","account":"ACSUser","accounttype":0,"usersource":"native","roleid":"1c12c75a-7731-11f0-9a5b-1e00900003a2","roletype":"User","rolename":"User","domainid":"f8f8593c-7730-11f0-9a5b-1e00900003a2","domain":"ROOT","timezone":"Etc/UTC","apikey":"-MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3Hg","accountid":"8a54a7ab-001c-4896-a3b8-e62754b96d64","iscallerchilddomain":false,"isdefault":false,"is2faenabled":false,"is2famandated":false}]}}
{
  "count": 1,
  "user": [
    {
      "account": "ACSUser",
      "username": "user"
    }
  ]
}




bin/cmk -d -s B5iRTjItgNnOAyK5QAIsdyNQLY6n2X_Q702mRMe1nQuu3JRS3faltqtHFIbvZZxomssmqtAawEcunJ2g39tmyw -k -MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3H list users filter=account,username
[debug] UpdateConfig key:apikey value:-MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3H update:false
[debug] UpdateConfig key:secretkey value:B5iRTjItgNnOAyK5QAIsdyNQLY6n2X_Q702mRMe1nQuu3JRS3faltqtHFIbvZZxomssmqtAawEcunJ2g39tmyw update:false
[debug] Trying to read API cache from:/Users/kiranchavala/.cmk/profiles/admin.cache
[debug] cmdline args:bin/cmk, -d, -s, B5iRTjItgNnOAyK5QAIsdyNQLY6n2X_Q702mRMe1nQuu3JRS3faltqtHFIbvZZxomssmqtAawEcunJ2g39tmyw, -k, -MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3H, list, users, filter=account,username
[debug] ExecCmd args: list, users, filter=account,username
[debug] NewAPIRequest API request URL:http://10.0.35.15:8080/client/api?apiKey=-MPbMG1oCyp5PS0LTIVKDkBbzPDPNcd_SOU-G_48uSiCBb83v_YSLZir1TQd_TkPU5NTMbPdZg5jPTQHN8G3H&command=listUsers&expires=2025-08-18T10%3A20%3A54Z&filter=account%2Cusername&response=json&signatureversion=3
[debug] NewAPIRequest response status code:401
[debug] Credentials supplied on command-line, not falling back to login
[debug] NewAPIRequest response body:{"listusersresponse":{"uuidList":[],"errorcode":401,"errortext":"unable to verify user credentials and/or request signature"}}
🙈 Error: (HTTP 401, error code <nil>) unable to verify user credentials and/or request signature

shwstppr · 2025-08-18T13:05:19Z

@ingox @shwstppr , independent of the answer, I think this is an improvement as is and we can merge. We can discuss the extra scenario independently , or is there some design impediment in this code for further blocking when in the shell?

@DaanHoogland I'm okay if you want to continue with this and maybe close or update issue #168 accordingly

DaanHoogland · 2025-08-18T13:35:27Z

to be clear @shwstppr , I am alright with merging this, it is a clear improvement. The question is if @ingox thinks if it is enough and closes his issue.

ingox · 2025-08-19T06:56:51Z

@shwstppr and @DaanHoogland This is definitely an improvement for this scenario. It will still leave some risk once you're in cmk. I cannot judge the risk of breaking something else if same behavior gets implemented for within cmk.

shwstppr · 2025-08-20T10:42:52Z

@ingox for now, I think it is safe to limit the new behaviour to command-line case. Otherwise, we can introduce a new config to allow supporting both old and new behaviour. If you are okay, I'll merge this, close your issue and open a new ticket where we can discuss or decide the behaviour for shell case?

weizhouapache · 2025-08-20T12:35:14Z

@shwstppr @DaanHoogland @ingox

sorry for late comment

my idea is a bit radical: we should forget the current keys and user credentials when user tries to use another user (different env, domain/username, or apikey/secretkey)

To be clear,

cmk without arguments: load the default profile. fallback to username if keys do not work.
cmk with profile: load the specified profile. fallback to username if keys do not work.
cmk with -s or -k: load the endpoint URL from default/specified profile or passed by -u. But forget the domain/username/password/apikey/secretkey in profiles
set apikey or set secretkey in cmk shell: forget the domain/username/password/apikey/secretkey loaded from profiles
set domain to a different value : forget the domain/username/password/apikey/secretkey loaded from profiles
set username to a different value : forget the username/password/apikey/secretkey loaded from profiles

shwstppr · 2025-08-20T15:37:31Z

@weizhouapache I feel a little too radical 😀

With this if I do,

set user testuser
set domain testdomain

Won't it forget testuser as soon as I set domain?

weizhouapache · 2025-08-20T16:58:50Z

@weizhouapache I feel a little too radical 😀

With this if I do,
set user testuser
set domain testdomain
Won't it forget testuser as soon as I set domain?

to be user-friendly, I think it is better do not forget the user when set the domain. but it increases the complexity.

ingox · 2025-08-21T07:01:57Z

@shwstppr @DaanHoogland @ingox

sorry for late comment

my idea is a bit radical: we should forget the current keys and user credentials when user tries to use another user (different env, domain/username, or apikey/secretkey)

To be clear,

* cmk without arguments: load the default profile. fallback to username if keys do not work.

* cmk with profile: load the specified profile. fallback to username if keys do not work.

* cmk with -s or -k: load the endpoint URL from default/specified profile or passed by `-u`. But forget the domain/username/password/apikey/secretkey in profiles

* `set apikey` or `set secretkey` in cmk shell:  forget the domain/username/password/apikey/secretkey loaded from profiles

* `set domain` to a different value : forget the domain/username/password/apikey/secretkey loaded from profiles

* `set username` to a different value : forget the username/password/apikey/secretkey loaded from profiles

That is a consistent approach and understandable.

shwstppr · 2025-08-22T08:09:37Z

@ingox @weizhouapache @DaanHoogland if you don't have objections I'll merge this PR and we can create a new issue around better handling of credentials?

shwstppr · 2025-08-25T12:22:30Z

Merging this and creating a new issue to discuss and address credential change especially in cmk shell or when setting credentials individually. #188

shwstppr requested review from DaanHoogland, Pearl1594 and weizhouapache August 7, 2025 03:03

shwstppr closed this Aug 8, 2025

shwstppr reopened this Aug 8, 2025

yadvr added this to the 6.5.0 milestone Aug 11, 2025

DaanHoogland closed this Aug 12, 2025

DaanHoogland reopened this Aug 12, 2025

shwstppr marked this pull request as draft August 12, 2025 10:00

access: prevent login with username-password when command-line creden…

ec3d185

…tials given Fixes apache#168 Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

shwstppr force-pushed the fix-wrongkeys-access branch from a6b815c to ec3d185 Compare August 13, 2025 10:06

shwstppr changed the title ~~access: prevent login with username-password when using wrong keys~~ access: prevent login with username-password when command-line credentials given Aug 13, 2025

shwstppr marked this pull request as ready for review August 13, 2025 10:14

DaanHoogland approved these changes Aug 14, 2025

View reviewed changes

kiranchavala approved these changes Aug 18, 2025

View reviewed changes

shwstppr mentioned this pull request Aug 25, 2025

Better handling of credentials change #188

Open

shwstppr merged commit 068275e into apache:main Aug 25, 2025
6 checks passed

shwstppr deleted the fix-wrongkeys-access branch August 25, 2025 12:23

Conversation

shwstppr commented Aug 7, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

weizhouapache commented Aug 7, 2025

Uh oh!

shwstppr commented Aug 7, 2025

Uh oh!

weizhouapache commented Aug 7, 2025

Uh oh!

shwstppr commented Aug 8, 2025

Uh oh!

github-actions bot commented Aug 8, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

DaanHoogland commented Aug 12, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

shwstppr commented Aug 12, 2025

Uh oh!

DaanHoogland commented Aug 12, 2025

Uh oh!

shwstppr commented Aug 13, 2025

Uh oh!

DaanHoogland commented Aug 14, 2025

Uh oh!

DaanHoogland left a comment

Choose a reason for hiding this comment

Uh oh!

ingox commented Aug 14, 2025

Uh oh!

shwstppr commented Aug 18, 2025

Uh oh!

DaanHoogland commented Aug 18, 2025

Uh oh!

kiranchavala left a comment

Choose a reason for hiding this comment

Uh oh!

shwstppr commented Aug 18, 2025

Uh oh!

DaanHoogland commented Aug 18, 2025

Uh oh!

ingox commented Aug 19, 2025

Uh oh!

shwstppr commented Aug 20, 2025

Uh oh!

weizhouapache commented Aug 20, 2025

Uh oh!

shwstppr commented Aug 20, 2025

Uh oh!

weizhouapache commented Aug 20, 2025

Uh oh!

ingox commented Aug 21, 2025

Uh oh!

shwstppr commented Aug 22, 2025

Uh oh!

shwstppr commented Aug 25, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

shwstppr commented Aug 7, 2025 •

edited

Loading

github-actions bot commented Aug 8, 2025 •

edited

Loading

DaanHoogland commented Aug 12, 2025 •

edited

Loading

shwstppr commented Aug 25, 2025 •

edited

Loading