[
https://issues.apache.org/jira/browse/CLOUDSTACK-7958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15968915#comment-15968915
]
ASF GitHub Bot commented on CLOUDSTACK-7958:
--------------------------------------------
GitHub user wido opened a pull request:
https://github.com/apache/cloudstack/pull/2046
CLOUDSTACK-7958: Add configuration for limit to CIDRs for Admin API calls
The global setting 'management.admin.cidr' is set to 0.0.0.0/0,::/0
by default preserve the current behavior and thus allow API calls
for Admin accounts from all IPv4 and IPv6 subnets.
Users can set it to a comma-separated list of IPv4/IPv6 subnets to
restrict API calls for Admin accounts to certain parts of their network(s).
This is to improve Security. Should a attacker steal the Access/Secret key
of a Admin account he/she still needs to be in a subnet from where Admin
accounts
are allowed to perform API calls.
This is a good security measure for APIs which are connected to the public
internet.
This PR also includes a commit to cleanup and improve NetUtils.
No existing methods have been altered. That has been verified by adding
additional Unit Tests for this.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/wido/cloudstack admin-cidr
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/cloudstack/pull/2046.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #2046
----
commit 770b0bdd4f20deefcb11d9c7b7713e06e3281e8e
Author: Wido den Hollander <[email protected]>
Date: 2017-04-13T15:23:24Z
Cleanup and Improve NetUtils
This class had many unused methods, inconsistent names and redundant code.
This commit cleans up code, renames a few methods and constants.
Methods were renamed to clearly show that they are for IPv4 or IPv6.
Tests were improved and added to test the changes that were made to the
code.
Signed-off-by: Wido den Hollander <[email protected]>
commit fb6ab51ba384cb2ae3eed788f3c241b4c28c9bf5
Author: Wido den Hollander <[email protected]>
Date: 2017-04-13T15:23:36Z
CLOUDSTACK-7958: Add configuration for limit to CIDRs
The global setting 'management.admin.cidr' is set to 0.0.0.0/0,::/0
by default preserve the current behavior and thus allow API calls
for Admin accounts from all IPv4 and IPv6 subnets.
Users can set it to a comma-separated list of IPv4/IPv6 subnets to
restrict API calls for Admin accounts to certain parts of their network(s).
This is to improve Security. Should a attacker steal the Access/Secret key
of a Admin account he/she still needs to be in a subnet from where Admin
accounts
are allowed to perform API calls.
This is a good security measure for APIs which are connected to the public
internet.
Signed-off-by: Wido den Hollander <[email protected]>
----
> Limit user login to specific subnets
> ------------------------------------
>
> Key: CLOUDSTACK-7958
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7958
> Project: CloudStack
> Issue Type: New Feature
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: API, Management Server
> Affects Versions: Future
> Reporter: Wido den Hollander
> Assignee: Wido den Hollander
> Priority: Minor
> Fix For: Future
>
>
> When exposing the API there is a potential danger that a user gets his hands
> on a account with Admin privileges and does bad things to a cloud.
> It would be a useful feature if we could limit certain accounts/users to
> specific subnets.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
