cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs
Date Thu, 31 Dec 2015 14:07:49 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15075955#comment-15075955
] 

ASF GitHub Bot commented on CLOUDSTACK-9099:
--------------------------------------------

Github user DaanHoogland commented on a diff in the pull request:

    https://github.com/apache/cloudstack/pull/1152#discussion_r48657695
  
    --- Diff: server/src/com/cloud/user/AccountManager.java ---
    @@ -198,4 +200,11 @@ void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledViewEntity>
s
         public static final String MESSAGE_ADD_ACCOUNT_EVENT = "Message.AddAccount.Event";
     
         public static final String MESSAGE_REMOVE_ACCOUNT_EVENT = "Message.RemoveAccount.Event";
    +    public static final ConfigKey<Boolean> UseSecretKeyInResponse = new ConfigKey<Boolean>(
    +            "Advanced",
    +            Boolean.class,
    +            "use.secret.key.in.response",
    +            "true",
    --- End diff --
    
    default should be false! this is a security issue.


> SecretKey is returned from the APIs
> -----------------------------------
>
>                 Key: CLOUDSTACK-9099
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>            Reporter: Kshitij Kansal
>            Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message