[
https://issues.apache.org/jira/browse/CLOUDSTACK-3030?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Animesh Chaturvedi updated CLOUDSTACK-3030:
-------------------------------------------
ACS 4.3,0 feature freeze is Nov 8th. I will cut the 4.3 branch from master on
that day. Please provide an update on your issue as a comment.
> Object_Store_Refactor - Download template from S3 should not set template to
> public-readable.
> ---------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-3030
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-3030
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Template
> Environment: latest object_store branch on fedora 17
> devcloud on same machine
> Cloudian (for S3 services) on separate machine. (expect similar result with
> other S3 object stores).
> Reporter: Thomas O'Dowd
> Assignee: Min Chen
> Fix For: 4.2.0
>
>
> This is a security issue in my opinion.
> When you upload a template to S3 secondary storage and then try to download
> it, Cloudstack changes the permission on the S3 object to the canned acl
> "public-read" and then displays the url in a popup which the user can click
> on to download the template.
> Using "public-read" is bad because it means that anyone who knows the S3
> object name can now download the template. Instead of using using the
> canned-acl "public-read", I recommend using "Query String Request
> Authentication Alternative" which is described at the following url:
> http://docs.aws.amazon.com/AmazonS3/2006-03-01/dev/RESTAuthentication.html#RESTAuthenticationQueryStringAuth
> This allows Cloudstack to generate a unique short lived url for the user to
> download the template while keeping the template private in the S3 object
> store.
> Steps:
> 1. setup S3 object storage (can be amazon)
> 2. Add S3 as secondary storage in Cloudstack.
> 3. Upload a new template (I uploaded "tinyLinux.vhd.gz" by giving a url on my
> local network where I had it hosted)
> 4. Try to download the template.
> When you download the gui, you can check the ACL of the template object and
> see that it can be downloaded by anyone. If you check the XML of the response
> you should find the following grant.
> ====== Partial XML showing S3 object has public read access =====
> <Grant>
> <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="Group">
> <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
> </Grantee><Permission>READ</Permission>
> </Grant>
> ====== end of XML showing S3 object has public read access =====
> The canned-acl "public-read" is applied to the template in a separate
> operation when you click to download the template using a PUT Object ACL
> request.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
