Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-132250

Provide on-demand admin access to virtual instances


    Copied from the PTR:

    ...we provide on-demand admin users that are cleaned up on logout.


    1. Navigate to Virtual Instances
    2. Action item on each virtual instance: "Request admin access". Only available to Omniadmins on the default instance.
    3. A separate portlet
    4. When the action item is clicked, create an admin user for that virtual instance with the following info:
      Screen name: liferay_online_{default-instance-userId}_{customer-instance-userId}
      Email: liferay_online_{default-instance-userId}_{customer-instance-userId}@liferayonline.com
    5. Generate a link with a one-time "token" associated with the temporary admin user that user can use to sign into the virtual instance
      1. Use TicketLocalService#addDistinctTicket and logic similar to password reset
    6. (v2) Send an email with the confirmation link to the LOL admin who requested it. (Approving the one-time token)
    7. LOL admin can click the link to log in with admin access to the virtual instance.
      1. AutoLogin implementation would check the expiration of the ticket (v2: email confirmation)) and return signed user id (e.g. TokenAutoLogin)
      2. (v2) HTTP Filter implementation to prevent active sessions 
    8. On Logout, delete the temporary admin user
    9. If the logout deletion does not occur for any reason, a scheduled job will clean up the temp admin users once a day.
    10. (v2)This job will be hidden behind a portal property that defaults to false, otherwise it will not run.


    • We should make the temp admin user invisible.
      • We can try the "Default" user flag
      • We can try also user.status (WorkflowConstants.STATUS_DRAFT)
    • We must the temp admin user non-editable.
      • We probably need PermissionCheckerWrapper
    • Nobody can sign into the temp admin without the token (e.g. close all sessions using HTTP Filter)
      • Similar to PasswordModifiedFilter
    • (v2) The token use is time-limited (5 minutes - in a config) and is one-time (removed after use/consumed).
      • Use TicketLocalService
    • The clean-up interval must be configurable
    • (v2) We should provide messaging to guide the LOL admin to log out when the admin task is completed, triggering deletion of the temp user. Logout deletion should be the preferred cleanup method, with the scheduled job catching any left over users that did not get deleted by Logout.
    • Since the email addresses and screen names of the generated users operate on a predictable pattern, auditing of the temp admin users' activity should be fairly straightforward to implement.


    from Eduardo re: how auth is handled:
    "The proposal is to use MFA, so that the Sys Admin demanding the temporary user are force to confirm their identity, and we don't send passwords. Then they receive a one-time-token access."

    Additionally, this should be placed in a dedicated module or set of modules that can be excluded from release.


      Issue Links



            patricia.perez Patricia Perez
            drew.brokke Drew Brokke
            Pei-Jung Lan Pei-Jung Lan
            Kiyoshi Lee Kiyoshi Lee
            0 Vote for this issue
            4 Start watching this issue




                Version Package
                7.4.13 DXP GA1
       CE GA4