I grep’ed the source code and came up with a list of the
APIs which the UI uses. That list is at the end of this message.
You can see that many of them (addNetscalerLoadBalancer, addVmwareDc, etc.) are
not in the generated API documentation which appears at
http://cloudstack.apache.org/docs/ap
-DskipTests), doesn't include the commands
> > mentioned by Demetrius. Looks like some regression bug in
> > ApiXmlDocWriter - it used to include all the commands in 3.0.x
> > version of the code.
> >
> > -Alena.
> >
> > From: Demetrius Tsit
at 4:39 PM, Demetrius Tsitrelis
wrote:
> Do you still think there needs to be a bug filed for the missing APIs?
>
> -Original Message-
> From: Animesh Chaturvedi [mailto:animesh.chaturv...@citrix.com]
> Sent: Thursday, October 17, 2013 1:21 PM
> To: dev@cloudstack.a
Password, hashedPassword) && realUser;
This way authentication will take the same amount of time regardless of whether
the user exists, thus mitigating the timing attack.
- Demetrius Tsitrelis
On Aug. 6, 2013, 9:51 p.m., Amo
---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/13252/#review24759
---
Ship it!
Ship It!
- Demetrius Tsitrelis
On Aug. 6, 2013, 9:59
The admin and install guides recommend pulling files from SourceForge.
Specifically:
SSH Key Gen script:
http://downloads.sourceforge.net/project/cloudstack/SSH%20Key%20Gen%20Script/cloud-set-guest-sshkey.in?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fcloudstack%2Ffiles%2FSSH%2520Key%2520Gen
CloudStack does not enforce complexity rules for user passwords even in its
built-in user database. For some accounts in particular, such as the root
domain admin, it would seem a good idea to have some minimum requirements.
Empty passwords, for example, should not be allowed. What do you thi
smime.p7m
Description: S/MIME encrypted message
I'd like to propose a few changes. Some adding a parameter to an existing API
and some adding a new API altogether. Is there a document describing ASF or
ACS policies for doing so?
Sent from my Windows Phone
isting api method signatures
(adding/removing parameters).
Regards
Alex Hitchins
D: +44 1892 523 587 | S: +44 2036 030 540 | M: +44 7788 423 969
alex.hitch...@shapeblue.com
-Original Message-
From: Demetrius Tsitrelis [mailto:demetrius.tsitre...@citrix.com]
Sent: 29 March 2
One problem is that the API documentation
(https://cloudstack.apache.org/docs/api/apidocs-4.3/root_admin/login.html)
still says that the password should be hashed. The docs are out of date; send
the password in plain text.
And - think about security. DON'T use HTTP GET or the query parameters
[mailto:run...@gmail.com]
Sent: Wednesday, April 16, 2014 12:16 PM
To: dev@cloudstack.apache.org
Subject: Re: login API with MD5 is not working
On Apr 16, 2014, at 12:56 PM, Demetrius Tsitrelis
wrote:
> One problem is that the API documentation
> (https://cloudstack.apache.org/docs/api/apido
This property is used to dynamically insert HTML into the UI. Unfortunately,
it is easily abused because it accepts input such as
will try with https now.
Just for information, why did they change this from MD5 to plain text?
Regards,
Tejas
On Thu, Apr 17, 2014 at 1:03 AM, Demetrius Tsitrelis <
demetrius.tsitre...@citrix.com> wrote:
> There is already an open bug
> (https://issues.apache.org/jira/browse/CLO
It has not been open sourced.
-Original Message-
From: Ryan Shafer [mailto:ryan.sha...@ecommerce.com]
Sent: Wednesday, April 23, 2014 7:45 AM
To: dev@cloudstack.apache.org
Subject: Source Code for Windows Password Manager
I have been looking through the cloudstack source code and I canno
I know that any breaking API changes have to wait until the next major version
of the project and I don't see any sections on the Wiki about ideas for the 5.x
version.
, May 9, 2014 at 10:33 PM, Demetrius Tsitrelis
wrote:
> I know that any breaking API changes have to wait until the next major
> version of the project and I don't see any sections on the Wiki about ideas
> for the 5.x version.
>
--
Daan
, 2014 at 7:48 PM, Demetrius Tsitrelis
wrote:
> When I log into cwiki I don't see an option to add (or even edit) a page. Do
> I need additional permissions?
>
> -Original Message-
> From: Daan Hoogland [mailto:daan.hoogl...@gmail.com]
> Sent: Sunday, May 11,
Thanks. I created a page for 5.0.
-Original Message-
From: Daan Hoogland [mailto:daan.hoogl...@gmail.com]
Sent: Wednesday, May 14, 2014 12:28 AM
To: dev
Subject: Re: Where is appropriate place to begin discussion for 5.0 API
discussion?
On Tue, May 13, 2014 at 6:55 PM, Demetrius
In the "Features" section of the CloudStack 4.4 Release (Draft) page
(https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=39623192) is
a filter for a previous version of features
(https://issues.apache.org/jira/sr/jira.issueviews:searchrequest-xml/12323168/SearchRequest-12323168.xml
ecure/Dashboard.jspa?selectPageId=12323265
On Wed, May 21, 2014 at 11:34 PM, Demetrius Tsitrelis
wrote:
> In the "Features" section of the CloudStack 4.4 Release (Draft) page
> (https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=39623192)
> is a filter for a prev
I see that DevCloud was available for 4.2 and then DevCloud 2.0 was available
for 4.3 so does that mean that there will be a DevCloud 3.0 for 4.4?
is to the getProperty()
method for the default value. It looks like that change to null wouldn't
matter as the constructor for CloudStackApi() would just reassign 8080?
- Demetrius Tsitrelis
On May 27, 2014, 8:04 p.m., Dmitry
registerTemplate has both the passwordenabled and sshkeyenabled parameters.
So why doesn't createTemplate have both? Reference:
http://cloudstack.apache.org/docs/api/apidocs-4.3/root_admin/createTemplate.html
example, on instance Wizard, create/register/delete ssh key, resetsshkey
for vm, register template, etc.
I have implemented some of them on 4.2 , it need to be changed for
4.3/4.4/master
-Wei
2014-07-01 22:06 GMT+02:00 Demetrius Tsitrelis <
demetrius.tsitre...@citrix.com>:
> registerTem
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
- Original Message -
> From: "Demetrius Tsitrelis"
> To: dev@cloudstack.apache.org
> Sent: Tuesday, 1 July, 2014 9:24:55 PM
> Subject: RE: createTemplate API lacks sshkeyenabled?
>
> Thanks,
m the source template of the VM.
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
- Original Message -
> From: "Demetrius Tsitrelis"
> To: dev@cloudstack.apache.org
> Sent: Tuesday, 1 July, 2014 10:48:11 PM
> Subject: RE: createTemplate API l
On 02-Jul-2014,at 4:45 am, Demetrius Tsitrelis
wrote:
> I see - thanks. But what if I created a VM from an .ISO? It still seems
> that I have to use createTemplate to make a template which CloudStack could
> use, but that API will not let me tell CloudStack that my new VM is run
EasySSLProtocolSocketFactory.
Why change Cloudstack to automatically except self-signed certificates here?
- Demetrius Tsitrelis
On May 27, 2014, 8:04 p.m., Dmitry Batkovich wrote:
>
> ---
> This is an automatically generated e-mail. To reply, visit
?
- Demetrius Tsitrelis
On May 27, 2014, 8:04 p.m., Dmitry Batkovich wrote:
>
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache
> On June 24, 2014, 11:10 p.m., Demetrius Tsitrelis wrote:
> > The only change I can see regarding "SSL enabling" is to the getProperty()
> > method for the default value. It looks like that change to null wouldn't
> > matter as the constructor for Clou
> On June 24, 2014, 11:10 p.m., Demetrius Tsitrelis wrote:
> > The only change I can see regarding "SSL enabling" is to the getProperty()
> > method for the default value. It looks like that change to null wouldn't
> > matter as the constructor for Clou
> On July 6, 2014, 8:45 a.m., Demetrius Tsitrelis wrote:
> > Another concern is that the new code is using EasySSLProtocolSocketFactory.
> > Why change Cloudstack to automatically except self-signed certificates
> > here?
>
> Dmitry Batkovich wrote:
> Mm,
> On June 24, 2014, 11:10 p.m., Demetrius Tsitrelis wrote:
> > The only change I can see regarding "SSL enabling" is to the getProperty()
> > method for the default value. It looks like that change to null wouldn't
> > matter as the constructor for Clou
rsday, July 03, 2014 11:05 AM
To:
Subject: Re: createTemplate API lacks sshkeyenabled?
Yes Demetrius, please raise a bug at https://issues.apache.org/jira
-Harikrishna
On 03-Jul-2014, at 12:52 am, Demetrius Tsitrelis
wrote:
> OK, should I raise a bug to remove the parameter (at least
Will the plugin merely show the strength of the password or will the plugin
prevent the use of weak passwords?
From: Damoder Reddy [damoder.re...@citrix.com]
Sent: Thursday, July 17, 2014 11:02 PM
To: dev@cloudstack.apache.org
Subject: [PROPOSAL] Adding a
POSAL] Adding a plugin to check the password strength of all
users
Will show the strength of the password as well.
On 18-Jul-2014, at 6:53 pm, Demetrius Tsitrelis
wrote:
> Will the plugin merely show the strength of the password or will the plugin
> prevent the use of wea
Congratz!
-Original Message-
From: Rajani Karuturi [mailto:rajani.karut...@citrix.com]
Sent: Tuesday, July 22, 2014 1:53 AM
To: dev@cloudstack.apache.org
Subject: Re: [ANNOUNCE] Rajani Karuturi as committer
Thanks everyone !!
~Rajani
On 22-Jul-2014, at 2:15 pm, Sanjeev Neelarapu
wr
For legacy reasons the MD5 and plaintext plugins are included in the list of
authenticators. If a company has been using CloudStack for awhile they may
want to move all their users to a stronger plugin such as SHA256SALTED (which
is now the default).
Is there a mechanism to do that? It doesn'
assword
change' protocol at the moment. It is assumed that user provisioning and user
lifecycle is best left to a different system.
From: Demetrius Tsitrelis
mailto:demetrius.tsitre...@citrix.com>>
Reply-To: "dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>"
What about using POST via AJAX instead of using implied GET in the link?
-Original Message-
From: Giri Prasad [mailto:g_p...@yahoo.com.INVALID]
Sent: Friday, September 05, 2014 4:47 AM
To: dev@cloudstack.apache.org; us...@cloudstack.apache.org
Subject: Re: API calls and keys
I have imple
OWASP has some security-related modules which would be great to incorporate
into CloudStack:
https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
https://www.owasp.org/index.php/OWASP_JSON_Sanitizer
These are BSD licensed. What is the process for bundling them into CloudStack?
Legal re
ou’re trying to do with it?
>
> On 24-Sep-2014, at 8:10 pm, Demetrius Tsitrelis <
> demetrius.tsitre...@citrix.com> wrote:
> > OWASP has some security-related modules which would be great to
> incorporate into CloudStack:
> >
> > https://www.owasp.org/index.php/OW
Do you mean you tried setting the USER_AGENT like in
https://community.qualys.com/blogs/securitylabs/2014/09/25/qualysguard-remote-detection-for-bash-shellshock?
-Original Message-
From: Ian Duffy [mailto:i...@ianduffy.ie]
Sent: Friday, September 26, 2014 6:56 AM
To: CloudStack Dev
Subj
ot be exploited.
--Sheng
On Fri, Sep 26, 2014 at 1:57 PM, Demetrius Tsitrelis <
demetrius.tsitre...@citrix.com> wrote:
> Do you mean you tried setting the USER_AGENT like in
> https://community.qualys.com/blogs/securitylabs/2014/09/25/qualysguard
> -remote-detection
calc included system() function call but debian based our
system vm are using dash as system shell. So I think this shellshock concern
are not directly affected to system vm cgi-bin. right?
GO
from my iPhone
2014/09/30 10:13、Demetrius Tsitrelis のメッセージ:
> http://systemvm-public-ip/cgi-bin/
trius,
Which Date of SystemVM are you using now?
And please share result of "ls -al /bin/sh" on your System VM.
from my iPhone
2014/10/01 3:42、Demetrius Tsitrelis のメッセージ:
> When I do "echo $SHELL" on the Virtual Router instance I see "/bin/bash".
>
>
Interestingly this video shows attack against a perl script...
https://www.youtube.com/watch?v=ArEOVHQu9nk
-Original Message-
From: Demetrius Tsitrelis [mailto:demetrius.tsitre...@citrix.com]
Sent: Monday, September 29, 2014 6:13 PM
To:
Subject: RE: Shellshock
http://systemvm-public
Actually, I am not sure. Only the env.cgi script is loaded and, while the
other scripts are in perl, there is nothing in the video which shows the source
for the env.cgi script so it may not be perl.
-Original Message-
From: Demetrius Tsitrelis [mailto:demetrius.tsitre...@citrix.com
It doesn't seem that OpenSwan is very actively maintained if there is an issue
with the OS X client. Is there another IPsec VPN we could use instead
(strongSwan, Libreswan, etc.)?
-Original Message-
From: Harikrishna Patnala [mailto:nore...@reviews.apache.org] On Behalf Of
Harikrishna
What about changing the system VM random passwords to use
generateRandomPassword() instead of generatePresharedKey()? Seems like it
should be the same function.
-Original Message-
From: Ian Duffy [mailto:i...@ianduffy.ie]
Sent: Friday, October 24, 2014 6:00 PM
To: CloudStack Dev
Subjec
Are there any plans to disable SSLv3 in favor of TLS in CloudStack?
There are many places where SSLv3 is still enabled: the web servers, various
plugins, etc.
Just trying to understand our existing integration
I found
http://docs.openstack.org/juno/config-reference/content/introduction-to-xen.html
which discusses how OpenStack uses XAPI plugins. Do we have a similar
document describing the integration of CloudStack with Xen via SSH?
Don't we
In CloudStack, it seems that one can login via three methods:
1) Connect to the API endpoint and use a login command with a user name and
password.2) Connect to the API endpoint and use a login command with a user
name and a signature based upon the "security.singlesignon.key" global
setting.3)
There is code in the DownloadManagerImpl.configure() method indicating that SSL
certs other than for realhostip.com are not supported. I have created a bug
for this: https://issues.apache.org/jira/browse/CLOUDSTACK-5386
-Original Message-
From: Wei ZHOU [mailto:ustcweiz...@gmail.com]
S
I was looking at the SSL code in CloudStack
and noticed that there are about a dozen calls to the SSLContext.getInstance()
method. Some of them
use the "SSL" protocol while
others use "TLS" or "TLSv1". So I'm wondering if it makes sense to expose a
configuration setting which specifies an o
CS
Why not set it to the highest secure protocol level always?
On 12/20/13 12:56 PM, "Demetrius Tsitrelis" wrote:
>
>
>I was looking at the SSL code in CloudStack and noticed that there are
>about a dozen calls to the
>SSLContext.getInstance() method. Some of the
It might also be good to be able to globally specify other characteristics of
the SSL/TLS configuration - for example, the list of supported ciphers.
-Original Message-
From: Demetrius Tsitrelis [mailto:demetrius.tsitre...@citrix.com]
Sent: Tuesday, December 24, 2013 10:11 AM
To: dev
In CloudStack's various uses of SSL, I never see that we disable Nagle. Isn't
this a performance killer?
nteraction is not high bandwidth
nor latency sensitive, so it shouldn't matter.
When it is the server, I guess we could set it, but again, nobody has
complained.
On 1/9/14 10:58 AM, "Demetrius Tsitrelis" wrote:
>In CloudStack's various uses of SSL, I never see tha
60 matches
Mail list logo
