[jira] [Commented] (CLOUDSTACK-7958) Limit user login to specific subnets

Fri, 14 Apr 2017 05:43:22 -0700 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-7958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15969023#comment-15969023
 ] 

ASF GitHub Bot commented on CLOUDSTACK-7958:
--------------------------------------------

Github user DaanHoogland commented on a diff in the pull request:

    https://github.com/apache/cloudstack/pull/2046#discussion_r111568888
  
    --- Diff: server/src/com/cloud/api/ApiServlet.java ---
    @@ -290,6 +292,17 @@ void processRequestInContext(final HttpServletRequest 
req, final HttpServletResp
                     CallContext.register(accountMgr.getSystemUser(), 
accountMgr.getSystemAccount());
                 }
     
    +            if (CallContext.current().getCallingAccount().getType() == 
Account.ACCOUNT_TYPE_ADMIN) {
    +                s_logger.debug("CIDRs from which Admin accounts are 
allowed to perform API calls " + adminCidrs);
    +                if 
(!NetUtils.isIpInCidrList(InetAddress.getByName(remoteAddress), 
adminCidrs.split(","))) {
    +                    auditTrailSb.append(" " + 
HttpServletResponse.SC_UNAUTHORIZED + " " + "IP-Address of remote not in 
configured Admin CIDR list");
    +                    final String serializedResponse =
    +                            
apiServer.getSerializedApiError(HttpServletResponse.SC_UNAUTHORIZED, 
"IP-Address of remote not in configured Admin CIDR list",
    +                                    params, responseType);
    +                    HttpUtils.writeHttpResponse(resp, serializedResponse, 
HttpServletResponse.SC_UNAUTHORIZED, responseType, 
apiServer.getJSONContentType());
    --- End diff --
    
    this you do want to log on every attempt (WARN or INFO???)


> Limit user login to specific subnets
> ------------------------------------
>
>                 Key: CLOUDSTACK-7958
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7958
>             Project: CloudStack
>          Issue Type: New Feature
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: API, Management Server
>    Affects Versions: Future
>            Reporter: Wido den Hollander
>            Assignee: Wido den Hollander
>            Priority: Minor
>             Fix For: Future
>
>
> When exposing the API there is a potential danger that a user gets his hands 
> on a account with Admin privileges and does bad things to a cloud.
> It would be a useful feature if we could limit certain accounts/users to 
> specific subnets.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to