cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wido <...@git.apache.org>
Subject [GitHub] cloudstack pull request #2046: CLOUDSTACK-7958: Add configuration for limit ...
Date Fri, 14 Apr 2017 11:28:03 GMT
GitHub user wido opened a pull request:

    https://github.com/apache/cloudstack/pull/2046

    CLOUDSTACK-7958: Add configuration for limit to CIDRs for Admin API calls

    The global setting 'management.admin.cidr' is set to 0.0.0.0/0,::/0
    by default preserve the current behavior and thus allow API calls
    for Admin accounts from all IPv4 and IPv6 subnets.
    
    Users can set it to a comma-separated list of IPv4/IPv6 subnets to
    restrict API calls for Admin accounts to certain parts of their network(s).
    
    This is to improve Security. Should a attacker steal the Access/Secret key
    of a Admin account he/she still needs to be in a subnet from where Admin accounts
    are allowed to perform API calls.
    
    This is a good security measure for APIs which are connected to the public internet.
    
    
    This PR also includes a commit to cleanup and improve NetUtils.
    
    No existing methods have been altered. That has been verified by adding additional Unit
Tests for this.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/wido/cloudstack admin-cidr

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/cloudstack/pull/2046.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #2046
    
----
commit 770b0bdd4f20deefcb11d9c7b7713e06e3281e8e
Author: Wido den Hollander <wido@widodh.nl>
Date:   2017-04-13T15:23:24Z

    Cleanup and Improve NetUtils
    
    This class had many unused methods, inconsistent names and redundant code.
    
    This commit cleans up code, renames a few methods and constants.
    
    Methods were renamed to clearly show that they are for IPv4 or IPv6.
    
    Tests were improved and added to test the changes that were made to the code.
    
    Signed-off-by: Wido den Hollander <wido@widodh.nl>

commit fb6ab51ba384cb2ae3eed788f3c241b4c28c9bf5
Author: Wido den Hollander <wido@widodh.nl>
Date:   2017-04-13T15:23:36Z

    CLOUDSTACK-7958: Add configuration for limit to CIDRs
    
    The global setting 'management.admin.cidr' is set to 0.0.0.0/0,::/0
    by default preserve the current behavior and thus allow API calls
    for Admin accounts from all IPv4 and IPv6 subnets.
    
    Users can set it to a comma-separated list of IPv4/IPv6 subnets to
    restrict API calls for Admin accounts to certain parts of their network(s).
    
    This is to improve Security. Should a attacker steal the Access/Secret key
    of a Admin account he/she still needs to be in a subnet from where Admin accounts
    are allowed to perform API calls.
    
    This is a good security measure for APIs which are connected to the public internet.
    
    Signed-off-by: Wido den Hollander <wido@widodh.nl>

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message