cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chip Childers <chip.child...@sungard.com>
Subject Re: [ACS41] Release Status - Bugs to kill!
Date Thu, 28 Mar 2013 13:36:48 GMT
On Thu, Mar 28, 2013 at 01:33:15PM +0000, Murali Reddy wrote:
> On 27/03/13 9:49 PM, "Chip Childers" <chip.childers@sungard.com> wrote:
> 
> >On Wed, Mar 27, 2013 at 03:39:25PM +0000, Murali Reddy wrote:
> >> On 27/03/13 8:04 PM, "Chip Childers" <chip.childers@sungard.com> wrote:
> >> 
> >> >
> >> >Murali Reddy -
> >> >  CLOUDSTACK-1673 AWS Regions - Events - User disable event does not
> >> >include the UUID of the user that was disabled.
> >> >
> >> >  Murali, you mentioned that you were working on a fix for this.  You
> >> >  happened to note that you would have it by the 20th.  Having any
> >>luck?
> >> 
> >> 
> >> Sorry on the delay. Though I have fix ready, I can not fully test it
> >> because most of the events are not generated due to bug CLOUDSTACK-1664.
> >> Moreover I do not think its critical bug. I have left below comment in
> >>the
> >> bug and marked as major. I can fix this bug if required only after fix
> >>for
> >> CLOUDSTACK-1664 is checked-in.
> >> 
> >> "Do not think its critical issue in the context of Regions. While
> >>syncing
> >> account/user/domain information across the regions using event bus is
> >>just
> >> one implementation option. User provisioning system's like portals can
> >> directly create account/user/domains across regions with out need of
> >>event
> >> bus.
> >> 
> >> Even if one uses event bus, there are other implementation options with
> >> which once achieve this. For eg, when User/Account/Domain create event
> >> occurs, consumers can query list of account/domain/accounts details in
> >>the
> >> region which generated the event and figure the details of new object
> >> created."
> >> 
> >
> >Thanks for the reply.  Assuming that Kelvin's patch for 1664 is actually
> >in the
> >set of fixes I already applied to 4.1, does that mean that you can test
> >and resolve 1673 now?  I see your point about this not being the only
> >implementation model for regions, but it is the one that's being
> >included as the reference approach for 4.1.  Not syncing a disable event
> >sounds like a potential security hole.
> >
> >Unless anyone objects, and based on the logic above, I'd still consider
> >1673 as a critical fix for 4.1.
> >
> >-chip
> >
> 
> Ok, I can fix bug 1673 for 4.1 but I do not see any security issue with
> 1673. There bug is about the events published on the event bus, does not
> have specific information (UUID) on which user/account action is taken.
> Did you mean issue reported in 1664 is security issue? There are no events
> generated at all by CloudStack for account enable etc.
> 
> On 1673, I wasted some time testing this issue on master, looks like
> changes for CLOUDSTACK-1664 are not in master yet. I will test with 4.1,
> and see if I can close this bug by EOD today.

It's possible that I'm misinterpreting the effect of 1673, specifically
I assumed that it meant that a user/account being disabled in one region
wouldn't propagate to the other region(s).  If that's not the case, then
this may certainly be a nice to have.  I defer to your judgement, but in
either case a fix would be great...  ;-)

-chip

Mime
View raw message