[jira] [Commented] (CLOUDSTACK-7958) Limit user login to specific subnets

Wed, 03 Jan 2018 21:27:18 -0800 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-7958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16310740#comment-16310740
 ] 

ASF subversion and git services commented on CLOUDSTACK-7958:
-------------------------------------------------------------

Commit 9988c269b259b84c0b8436bad17f88dbc1d706e7 in cloudstack's branch 
refs/heads/master from [~widodh]
[ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=9988c26 ]

CLOUDSTACK-7958: Add configuration for limit to CIDRs for Admin API calls 
(#2046)

* Cleanup and Improve NetUtils

This class had many unused methods, inconsistent names and redundant code.

This commit cleans up code, renames a few methods and constants.

The global/account setting 'api.allowed.source.cidr.list' is set
to 0.0.0.0/0,::/0 by default preserve the current behavior and thus
allow API calls for accounts from all IPv4 and IPv6 subnets.

Users can set it to a comma-separated list of IPv4/IPv6 subnets to
restrict API calls for Admin accounts to certain parts of their network(s).

This is to improve Security. Should an attacker steal the Access/Secret key
of an account he/she still needs to be in a subnet from where accounts are
allowed to perform API calls.

This is a good security measure for APIs which are connected to the public 
internet.

Signed-off-by: Wido den Hollander <w...@widodh.nl>

> Limit user login to specific subnets
> ------------------------------------
>
>                 Key: CLOUDSTACK-7958
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7958
>             Project: CloudStack
>          Issue Type: New Feature
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: API, Management Server
>    Affects Versions: Future
>            Reporter: Wido den Hollander
>            Assignee: Wido den Hollander
>            Priority: Minor
>             Fix For: Future
>
>
> When exposing the API there is a potential danger that a user gets his hands 
> on a account with Admin privileges and does bad things to a cloud.
> It would be a useful feature if we could limit certain accounts/users to 
> specific subnets.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to