-
Notifications
You must be signed in to change notification settings - Fork 445
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Email 2FA verification for admins logging into Fleet w/o SSO #22078
Comments
Hey @sharon-fdm! Who would be a good engineer for @randy-fleet to partner w/ while designing this one? |
All our BE engineers can help, but @lucasmrod did several tasks in/around this area in the past. |
FYI @randy-fleet ^^ |
@noahtalerman I added a note about reference doc changes needed, and noted where there are no changes needed for Activity and Permissions, but am unsure if there will be CLI/YAML/API changes. Can you help clarify there? |
@randy-fleet thanks! There are no YAML changes but I think we do want to make CLI changes: add a new flag to the fleetctl is Fleet's CLI tool. I suggest following the guide here to download it so you can play around and see the existing options. To see all options (flags) available for |
@sharon-fdm this story is almost ready for specs. To alleviate some design capacity and move quickly, I think we'll want the engineering team's help designing the API changes and updating the API docs. To track this, I moved these checkboxes (above and in the issue description) to the engineering section. Please let me know if you have questions/concerns. |
FYI @randy-fleet ^ |
@noahtalerman, no problem, we will try to allocate some cycles for this soon. cc: @lucasmrod |
@noahtalerman, @lucasmrod is assigned to help with the API design and will get to it after some P2 work. |
@noahtalerman I got fleetctl up and running and proposed the new flag on the ticket - thanks! |
Thanks @randy-fleet! I think we want to be more explicit than Right now, as someone creating a user w/ We could solve this by explaining that it's email in the description. But what if we add an option for 2FA via authenticator app later? I think we want to leave the door open for another explicit flag. Also, note on an interesting design pattern for command line tools: command line tools often have a double dash |
@rachaelshaw if you have time, and Lucas hasn't gotten to API design, I would pick this one up after you get through API design review. |
@noahtalerman @lucasmrod API design PR here, added you both as reviewers. I kept "email" out of the new key name and just called it |
@randy-fleet @noahtalerman noticed one potential issue in the designs that I wasn't sure y'all had talked about: we're specifying that the email should be updated to say "Hello {First name}", but the form asks for a user's full name as one field. Inferring first/last names from full names can be tricky since you can't always rely on the location of spaces (e.g. "Mary Jane Van der Henst") so unless we already have code for handling that somewhere in the product, it may make sense to just do "Hello {Full name}". |
@rachaelshaw great catch! I think let's go w/ what's simple for now. Sounds like that's full name. I updated the Figma here: cc @randy-fleet |
…, fix X logo location, swap Twitter for X on other automated email templates (#24506) For consistency with new MFA email in #22078. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Manual QA for all new/changed functionality
…, fix X logo location, swap Twitter for X on other automated email templates (#24506) For consistency with new MFA email in #22078. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Manual QA for all new/changed functionality
For #22078. # Checklist for submitter - [x] Manual QA for all new/changed functionality
For #22078. # Checklist for submitter - [x] Manual QA for all new/changed functionality
For #23910; docs for #22078. Also fixes "does Fleet supported" typo. --------- Co-authored-by: Noah Talerman <[email protected]> Co-authored-by: Rachael Shaw <[email protected]>
Waiting for the best practice to be added to guides (PR here) before closing this story, |
Fleet shipped email 2FA. User story is here (#22078) - Add best practice to guides: - Email 2FA for "break-glass" user - SSO for all other users - Update pricing page to link to feature request instead of the user story. --------- Co-authored-by: Marko Lisica <[email protected]>
#25005 is merged. Closing this story. |
Two-factor embrace, |
Goal
Objective
Customer promises + renewal requests
Original request
Context
Changes
Includes updates to creating and editing users, the invitation flow, and introduces a new (optional) magic link (2FA) experience.
Product
2fa - Enable login two-factor authentication (default: false)
Engineering
QA
Risk assessment
Automated tests to write
Integration
Fleet Free
License failures:
Fleet Premium
Skipping admin-created tests because we don't have fully set up mailer in integration test suites.
Service
Session
User
Invite
Data store
Other tests
Manual testing steps (checked when QA'd by engineer)
fleetctl
Web UI
Additional Manual QA
Testing notes
You'll need to set up mail serving for this. SSO config also required for some tests
Confirmation
The text was updated successfully, but these errors were encountered: