cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-7958) Limit user login to specific subnets
Date Fri, 14 Apr 2017 15:31:41 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-7958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15969155#comment-15969155
] 

ASF GitHub Bot commented on CLOUDSTACK-7958:
--------------------------------------------

Github user wido commented on a diff in the pull request:

    https://github.com/apache/cloudstack/pull/2046#discussion_r111589706
  
    --- Diff: server/src/com/cloud/api/ApiServlet.java ---
    @@ -290,6 +292,17 @@ void processRequestInContext(final HttpServletRequest req, final
HttpServletResp
                     CallContext.register(accountMgr.getSystemUser(), accountMgr.getSystemAccount());
                 }
     
    +            if (CallContext.current().getCallingAccount().getType() == Account.ACCOUNT_TYPE_ADMIN)
{
    +                s_logger.debug("CIDRs from which Admin accounts are allowed to perform
API calls " + adminCidrs);
    +                if (!NetUtils.isIpInCidrList(InetAddress.getByName(remoteAddress), adminCidrs.split(",")))
{
    +                    auditTrailSb.append(" " + HttpServletResponse.SC_UNAUTHORIZED + "
" + "IP-Address of remote not in configured Admin CIDR list");
    +                    final String serializedResponse =
    +                            apiServer.getSerializedApiError(HttpServletResponse.SC_UNAUTHORIZED,
"IP-Address of remote not in configured Admin CIDR list",
    +                                    params, responseType);
    +                    HttpUtils.writeHttpResponse(resp, serializedResponse, HttpServletResponse.SC_UNAUTHORIZED,
responseType, apiServer.getJSONContentType());
    --- End diff --
    
    True, true. I would say WARN?


> Limit user login to specific subnets
> ------------------------------------
>
>                 Key: CLOUDSTACK-7958
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7958
>             Project: CloudStack
>          Issue Type: New Feature
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: API, Management Server
>    Affects Versions: Future
>            Reporter: Wido den Hollander
>            Assignee: Wido den Hollander
>            Priority: Minor
>             Fix For: Future
>
>
> When exposing the API there is a potential danger that a user gets his hands on a account
with Admin privileges and does bad things to a cloud.
> It would be a useful feature if we could limit certain accounts/users to specific subnets.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message