[
https://issues.apache.org/jira/browse/CLOUDSTACK-3342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14042868#comment-14042868
]
Demetrius Tsitrelis commented on CLOUDSTACK-3342:
-------------------------------------------------
This is a poor security practice. It was Amazon which provided him his secret
key - NOT CloudStack. What is the use case for an "admin" (who actually be a
shoulder-surfer) seeing the S3 secret key?
Further, in addition to changing the UI we should also remove the secret key
from response to the underlying CloudStack API.
> Object_Store_Refactor - S3 "Secret Key" must not be visible in the UI after
> S3 Object store creation.
> -----------------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-3342
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-3342
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: UI
> Affects Versions: 4.2.0
> Reporter: Thomas O'Dowd
> Assignee: Min Chen
> Labels: s3, security
>
> 1. Login to a freshly deployed devcloud server.
> 2. Click Infrastructure
> 3. Click secondary Storage
> 4. Remove NFS
> 5. Add new S3 Secondary Storage (anything will do for this bug as its a
> display bug)
> 6. Re-visit secondary storage and click on the S3 storage you created.
> Expectation:
> You can NOT see the "secret key".
> Actual:
> You can see all the details of the S3 object store including the "secret key".
> The secret key is like a password. Anyone knowing the secret key can
> upload/delete etc from the S3 store. It should not be available easily in my
> opinion. I guess its easily available in the database anyway but lets keep it
> out of the browser after its been input. It can be displayed using ***.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
