incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Huang <Alex.Hu...@citrix.com>
Subject RE: Is there anyway to block root admin APIs on WAF?
Date Fri, 26 Oct 2012 17:02:43 GMT
Yup.

Prachi and Likitha are working on breaking them down into end user and admin.  Admin gets
moved to another endpoint.  We're exploring right now.  

I'll ask them to send out the details once they have the prototype.  

--Alex

> -----Original Message-----
> From: Chiradeep Vittal
> Sent: Friday, October 26, 2012 9:53 AM
> To: CloudStack DeveloperList; Alex Huang
> Subject: Re: Is there anyway to block root admin APIs on WAF?
> 
> This sounds like an excellent idea. Could you raise an enhancement request.
> I do remember someone talking about moving all admin level APIs to a
> separate webapp.
> Alex?
> 
> On 10/25/12 3:47 PM, "Clement Chen" <clement.chen@citrix.com> wrote:
> 
> >I am wondering whether there is an easy way to block high privilege
> >APIs on WAF. For example, for security reasons customers might want to
> >block remote access to root admin APIs or limit access to domain admin
> >APIs to certain IP addresses.
> >
> >It can be easily done on WAF if we have separate API endpoints for root
> >admin/domain admin/end user APIs. For example, in case of VMWare
> vCloud
> >Director, APIs accessible only to system admins are under
> >http://hostname/cloud/api/1.0/admin/extension and this can be easily
> >blocked on a WAF.
> >
> >Our API is not pure REST API and we do not have separate endpoints. Is
> >there any easy way to block high privilege APIs other than blocking the
> >commands one by one in the WAF?
> >
> >Thanks.
> >
> >-Clement


Mime
View raw message