Defect #3306
closed
For technical and other accounts is not possible to set password
100%
Description
When creating a technical account technical or other accounts is not possible to set a password even if the attribute "__PASSWORD__" is part of the system mapping.
After creating technical or other account, the password is generated according to policies.
In the case of a technical account, it is not possible to change the password anywhere in IdM and the generated password cannot be determined.
For other user accounts is generated password sent by acc:newPassword notification and it is possible to change the password by standard way:
Example:
Files
Updated by Tomáš Doischer almost 2 years ago
- Sprint set to Sprint 13.1-3 (bře 22 - dub 05)
- Target version set to 13.1.0
Updated by Peter Štrunc over 1 year ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Peter Štrunc to Tomáš Doischer
- Priority changed from High to Normal
- % Done changed from 0 to 50
I fixed an issue that would cause some attributes to not show in the wizard for systems, which have multiple schemas.
Now it is possible to set a password when creating a new account because the attribute is correctly displayed in the wizard. During an edit, however, the _ PASSWORD _ attribute is not shown, because it is not returned from the system by default.
Changing the password will be enabled by implementing password management for technical accounts, or overriding empty attributes from the schema.
Implementing those features will be implemented later, as the feature is not critical for our current projects. This is also the reason for lowering the priority of this ticket.
The Fix of the previously mentioned bug is here: hhttps://github.com/bcvsolutions/CzechIdMng/pull/360
@doischert could you check it out?
Updated by Tomáš Doischer over 1 year ago
- Status changed from Needs feedback to In Progress
- Assignee changed from Tomáš Doischer to Peter Štrunc
The bugfix was merged, LGTM.
We will need to add pwd management for technical accounts so I'll leave this ticket open.
Updated by Tomáš Doischer over 1 year ago
- Sprint changed from Sprint 13.1-3 (bře 22 - dub 05) to Sprint 13.1-4 (dub 05 - dub 19)
Updated by Peter Štrunc over 1 year ago
here is my analysis of what has to be done in order to implement password management for Technical accounts.
Password management for technical accounts¶
Current state¶
Backend¶
PasswordChangeController- main entry point for password changes
- passwordChange(UUID, PasswordChangeDto)
- hardcoded IdmIdentityDto lookup
- authenticates, if identity is not authenticated
- for unauthenticated password change, or mustChange when logging in with expired password
- Checks permission for password change after authentication
- Calls identityService.passwordChange(identity, PasswordChangeDto)
IdmIdentityService
- Publishes IdmIdentityEvent.PASSWORD
- identity-password-validate-processor(acc)
- Fetches all identity accounts
- Validates provided accounts (password change type)
- Validates against system password policies for each account
- identity-password-validate-processor(core)
- Validates all aspects of password change (original pwd requirement, policies, change type)
- identity-uniform-password-processor
- Handles uniform password stuff and password filter echo
- Uses identity only for account searches
- identity-password-processor
- saves PasswordDto and handles password age from idm password policy
- core-identity-demo-change-processor
- for monitoring changes on admin identity
- identity-password-provisioning-processor
- setup echo
- call provisioningService.changePassword(identity, passwordChangeDto)
- process results and handle password filter
- identity-password-change-notification
- Notifies identity of password change
ProvisioningService
- Notifies identity of password change
- identity-password-validate-processor(acc)
- Calls provisioning executor changePassword
- uses dto and PasswordChangeDto as input (no need for identity)
Frontend¶
All of frontend only works with identity and its accounts
PasswordChangeComponent- Renders form and sends requests to backend controller
- hard coupling on identityManager and identityService
PasswordChangeRoute
PasswordRoute
PasswordChangeForm
Requirements¶
Enable use case of changing account’s password from account detail
Support identity account and Technical accounts
Support accounts without owner (AccAccount)
Proposed changes¶
Backend¶
Introduce a new interface PasswordManageableExtract common password management logic into common predecessors for all password processors
Move logic from PasswordController somewhere, where it can be generalized for different PasswordManageables
Move event type PASSWORD from IdmIdentityEventType to a new event type, which is not tied to IdmIdentity
- Make all password processors react to this new event
Update tests and write new ones for tech account password management
Frontend¶
Make PasswordChangeComponent take managers as a prop, so that we can supply correct managersintroduce new routes for password change on account detail
- No need for other tabs such as Password details and Tokens, just change form
Updated by Tomáš Doischer over 1 year ago
- Status changed from In Progress to Needs feedback
Updated by Tomáš Doischer over 1 year ago
- Status changed from Needs feedback to In Progress
Updated by Tomáš Doischer over 1 year ago
- Sprint deleted (
Sprint 13.1-4 (dub 05 - dub 19))
Updated by Peter Štrunc over 1 year ago
- Target version changed from 13.1.0 to 13.0.5
Updated by Peter Štrunc over 1 year ago
- Status changed from In Progress to Rejected
- % Done changed from 50 to 100
Implementation of password management is a new feature and will be implemented in a separate ticket https://redmine.czechidm.com/issues/3349