[ https://issues.apache.org/jira/browse/CLOUDSTACK-7958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16310740#comment-16310740 ]
ASF subversion and git services commented on CLOUDSTACK-7958: ------------------------------------------------------------- Commit 9988c269b259b84c0b8436bad17f88dbc1d706e7 in cloudstack's branch refs/heads/master from [~widodh] [ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=9988c26 ] CLOUDSTACK-7958: Add configuration for limit to CIDRs for Admin API calls (#2046) * Cleanup and Improve NetUtils This class had many unused methods, inconsistent names and redundant code. This commit cleans up code, renames a few methods and constants. The global/account setting 'api.allowed.source.cidr.list' is set to 0.0.0.0/0,::/0 by default preserve the current behavior and thus allow API calls for accounts from all IPv4 and IPv6 subnets. Users can set it to a comma-separated list of IPv4/IPv6 subnets to restrict API calls for Admin accounts to certain parts of their network(s). This is to improve Security. Should an attacker steal the Access/Secret key of an account he/she still needs to be in a subnet from where accounts are allowed to perform API calls. This is a good security measure for APIs which are connected to the public internet. Signed-off-by: Wido den Hollander <w...@widodh.nl> > Limit user login to specific subnets > ------------------------------------ > > Key: CLOUDSTACK-7958 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7958 > Project: CloudStack > Issue Type: New Feature > Security Level: Public(Anyone can view this level - this is the > default.) > Components: API, Management Server > Affects Versions: Future > Reporter: Wido den Hollander > Assignee: Wido den Hollander > Priority: Minor > Fix For: Future > > > When exposing the API there is a potential danger that a user gets his hands > on a account with Admin privileges and does bad things to a cloud. > It would be a useful feature if we could limit certain accounts/users to > specific subnets. -- This message was sent by Atlassian JIRA (v6.4.14#64029)