mgr/dashboard: Enforce password change upon first login
Reviewed-by: Laura Paduano <lpaduano@suse.com>
Reviewed-by: Stephan Müller <smueller@suse.com>
Reviewed-by: Tiago Melo <tmelo@suse.com>
We need to either fill out the list_daemons APIs in the dashboard and test
that, or redesign and reimplement the services abstractions in the
orchestration layer. Until then, disable this test.
Signed-off-by: Sage Weil <sage@redhat.com>
Introduce the following:
- A new layout component for the login pages.
- A new route called /login-change-password.
- A guard that checks if a user must change the password (ChangePasswordGuardService). If this is true, redirect to /login-change-password.
- Added LoginPasswordFormComponent (extends UserPasswordFormComponent) for the password form but (looks similar the login page).
Fixes: tracker.ceph.com/issues/24655
Signed-off-by: Volker Theile <vtheile@suse.com>
- We keep ServiceDescription around unmodified (although it will need some
cleanup later)
- We add DaemonDescription, and clean out the service-related ambiguities
- Add a new list_daemons() method for Orchestrator
- Add a new 'ceph orch ps' command
- In cephadm, drop get_services(), and implement list_daemons()
- a million changes to make this work
- Adjust health alert and option names
Signed-off-by: Sage Weil <sage@redhat.com>
this test will end with a failure like
```
2020-01-30T18:15:15.870 INFO:tasks.ceph.mgr.x.smithi042.stderr:Warning: Permanently added 'smithi042.front.sepia.ceph.com,172.21.15.42' (ECDSA) to the list of known hosts.
2020-01-30T18:15:15.925 INFO:tasks.ceph.mgr.x.smithi042.stderr:Permission denied, please try again.
2020-01-30T18:15:15.932 INFO:tasks.ceph.mgr.x.smithi042.stderr:Permission denied, please try again.
2020-01-30T18:15:15.939 INFO:tasks.ceph.mgr.x.smithi042.stderr:root@smithi042.front.sepia.ceph.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
```
because mgr is not able to establish an ssh connection to that host with "root".
please note, the teuthology worker is acting using the "ubuntu" account on the
test node, and by default, "root" does not have its pubkey. and actually
`qa/tasks/cephadm.py` does push the pubkey to all the managed hosts before
testing cephadm.
since `qa/tasks/cephadm.py` is a better test for cephadm, let's just
drop this one.
as suites/rados/cephadm already covers cephadm
Signed-off-by: Kefu Chai <kchai@redhat.com>
Give the cluster some time to recover from the unknown
PG state before checking if the OSD is safe to destroy.
Fixes: https://tracker.ceph.com/issues/43912
Signed-off-by: Tatjana Dehler <tdehler@suse.com>
* refs/pull/32788/head:
qa/tasks/mgr/dashboard: set pg_num to 32
mgr/pg_autoscaler: default to pg_num[_min] = 32
Reviewed-by: Sage Weil <sage@redhat.com>
if mgr is not active, monitor will refuse to set any option consumed by
mgr modules.
the reason the tests pass somtimes is that, we have a racing here:
1. stop all mgr daemons
2. MgrMonitor gets updated and updates its mgr_module_options
accordingly.
3. in TestDashboard.setUp(), we reset the port number for dashboard
using "ceph config set mgr mgr/dashboard/y/ssl_server_port 7789"
4. restart all mgr daemons
but the 2nd step and 3rd step could race with each other, if the 2nd
step happens after 3rd step, the test passes. otherwise it fails.
in this change, "--force" is passed to the "ceph config set" command,
so ConfigMonitor can bypass the sanity test for the option, and just
set this option.
Signed-off-by: Kefu Chai <kchai@redhat.com>
qa/tasks/mgr/dashboard: set pg_num to 16
Reviewed-by: Volker Theile <vtheile@suse.com>
Reviewed-by: Sebastian Wagner <swagner@suse.com>
Reviewed-by: Tatjana Dehler <tdehler@suse.com>
Reviewed-by: Laura Paduano <lpaduano@suse.com>
mgr/dashboard: Throw a more meaningful exception
Reviewed-by: Sebastian Wagner <swagner@suse.com>
Reviewed-by: Tatjana Dehler <tdehler@suse.com>
Reviewed-by: Tiago Melo <tmelo@suse.com>
Choose another future_date_1 date (9 days instead of 10) to
make sure the expiration date will be between future_date_1
and future_date_2. Otherwise the expiration date might be
equal to future_date_1.
Also wait for 10 seconds before the password refresh in
test_pwd_expiration_date_update to prevent date equality.
Fixes: https://tracker.ceph.com/issues/43431
Signed-off-by: Tatjana Dehler <tdehler@suse.com>
qa/tasks/mgr/test_orchestrator_cli: fix service action tests
Reviewed-by: Thomas Bechtold <tbechtold@suse.com>
Reviewed-by: Sebastian Wagner <swagner@suse.com>
in b77f0c74a5, "reload"
service[-instance] action was dropped. so replace "reload" with
"restart" in the related tests.
Signed-off-by: Kefu Chai <kchai@redhat.com>
* Remove scope and permission check from UserPasswordPolicy controller again, otherwise the Angular UI validator can't be executed for users without that privilege.
* Remobe obsolete QA test.
Signed-off-by: Volker Theile <vtheile@suse.com>
1. Fix the test cases by using the 'assertJsonBody'
method. The '_post' method doesn't return anything.
That's why we need to use the 'assertJsonBody'
method here instead of checking the fields directly.
2. Add the missing scope and permission definition of the
'validate_password' resource. Otherwise the resource
is not restricted and 'test_validate_password_invalid_permissions'
will fail.
3. Re-word error messages. Change 'cannot' to 'must not'.
Signed-off-by: Tatjana Dehler <tdehler@suse.com>
- Add 'api/user/validate_password' endpoint to check if a
password meets the password policy. A new controller has
to be added for 'api/user' which has NO security scope,
otherwise it wouldn't be possible for users without USER
privileges to call the endpoint.
- Add Angular async validator to check if the entered password
meets the policy.
Fixes: https://tracker.ceph.com/issues/43088
Signed-off-by: Volker Theile <vtheile@suse.com>
Now both CephFS quotas can be changed with a validation against the next
tree maximum in the file tree, that prevents setting the quotas in a way
that would not be usable.
Fixes: https://tracker.ceph.com/issues/38287
Signed-off-by: Stephan Müller <smueller@suse.com>
Add a 'pwd_expiration_date' field to the User object to be able
to set password expiration date per user.
There are two options to set a password expiration date for a
user:
1. Set the 'USER_PWD_EXPIRATION_SPAN' setting. If defined
the expiration date of the password will be calculated
automatically based on the given value. It will also be
updated automatically when the user changes the password.
2. Set an expiration date by setting the 'pwdExpirationDate'
field when creating a user.
Add two more settings in addition: USER_PWD_EXPIRATION_WARNING_1
and USER_PWD_EXPIRATION_WARNING_2. These two settings are
defining the amount of days to notify the user that his password
will expiration soon.
It's not possible to set the 'pwd_expiration_date' field to a
date in the past.
If the password of a user is already expired he is no longer
allowed to log into the dashboard.
Fixes: https://tracker.ceph.com/issues/40329
Signed-off-by: Tatjana Dehler <tdehler@suse.com>
There were a couple of problems found by flake8 in the qa/
directory (most of them fixed now). Enabling flake8 during the usual
check runs hopefully avoids adding new issues in the future.
Signed-off-by: Thomas Bechtold <tbechtold@suse.com>
