You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by nnesic <gi...@git.apache.org> on 2015/10/29 14:11:10 UTC
[GitHub] cloudstack pull request: Fixed user_vm_view to only display keypai...
GitHub user nnesic opened a pull request:
https://github.com/apache/cloudstack/pull/1006
Fixed user_vm_view to only display keypairs belonging to the account.
The user_vm_view displayes the keypair information by joining vm_details with ssh_keypairs on the key value exclusively.
We found a scenario in which this can cause information leakage. If there are two accounts using the same key, but create a different key name for it, and then a vm is created using one of the keys, the view will list both keypairs as belonging to the vm, which can in turn cause confusion to the users who see a keypair name which they did not create.
The fix simply limits the view to displaying keypairs which belong to vm's account.
I added it to the latest schema migration only; should I also include it in the previous ones?
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/greenqloud/cloudstack user_vm_keypairs_fix
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/cloudstack/pull/1006.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1006
----
commit aae47af5c1798dd480144bc38425251307838a62
Author: nnesic <ne...@greenqloud.com>
Date: 2015-10-29T12:18:17Z
Fixed user_vm_view to only display keypairs belonging to the account.
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] cloudstack pull request: Fixed user_vm_view to only display keypai...
Posted by karuturi <gi...@git.apache.org>.
Github user karuturi commented on the pull request:
https://github.com/apache/cloudstack/pull/1006#issuecomment-152493863
Manual Testing:
Before:
ssh_keypairs
```
mysql> select * from ssh_keypairs;
+----+------------+-----------+--------------+-------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| id | account_id | domain_id | keypair_name | fingerprint | public_key |
+----+------------+-----------+--------------+-------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 1 | 60 | 3 | rajani | 60:f3:cb:9b:c4:b8:c1:cd:36:13:3a:28:17:26:01:b2 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDo6DcY9r8Br56JUD2Vv33KNiieElPQV0+Qepz+8lGHlIlYn8I2ubXcVOrGBtET6JGlHqVlSmjKEjeHXcvILPZsxxMjGX4skPQtBVOaH1kQcYU2YpYxxm5piQPpOo263AkWmQrfBb/W0n8ChWfOuBSYvbpzdqATsQUGnNCQuthBKQ== |
| 3 | 62 | 3 | bharat | 69:72:47:63:10:aa:76:37:d9:fc:c2:51:66:1e:b9:93 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDo6DcY9r8Br56JUD2Vv33KNiieElPQV0+Qepz+8lGHlIlYn8I2ubXcVOrGBtET6JGlHqVlSmjKEjeHXcvILPZsxxMjGX4skPQtBVOaH1kQcYU2YpYxxm5piQPpOo263AkWmQrfBb/W0n8ChWfOuBSYvbpzdqATsQUGnNCQuthBKQ== |
+----+------------+-----------+--------------+-------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
```
user_vm_view;
```
mysql> select id,name,account_name,keypair_name from user_vm_view;
+----+------+--------------+--------------+
| id | name | account_name | keypair_name |
+----+------+--------------+--------------+
| 67 | rvm1 | rajanik | rajani |
| 68 | bvm1 | bharatk | rajani |
| 67 | rvm1 | rajanik | bharat |
| 68 | bvm1 | bharatk | bharat |
+----+------+--------------+--------------+
```
Ui vm screenshot:
1. checked out the PR
2. did mvn clean install -Pdeveloper,systemvm on an existing setup
3. manually ran the drop view and create view query
4. start jetty mvn -pl client jetty:run -o
After the change.
```
user_vm_view
mysql> select id,name,account_name,keypair_name from user_vm_view;
+----+------+--------------+--------------+
| id | name | account_name | keypair_name |
+----+------+--------------+--------------+
| 67 | rvm1 | rajanik | rajani |
| 68 | bvm1 | bharatk | bharat |
+----+------+--------------+--------------+
2 rows in set (0.00 sec)
```
UI Vm screenshot
:+1:
Can you create an issue for this in jira and add it to the commit message please?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] cloudstack pull request: Fixed user_vm_view to only display keypai...
Posted by asfgit <gi...@git.apache.org>.
Github user asfgit closed the pull request at:
https://github.com/apache/cloudstack/pull/1006
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] cloudstack pull request: Fixed user_vm_view to only display keypai...
Posted by bhaisaab <gi...@git.apache.org>.
Github user bhaisaab commented on the pull request:
https://github.com/apache/cloudstack/pull/1006#issuecomment-152420812
Looks good to me, though I've not tested it. Since the key is the same (content wise), it should not cause any security issue other than some naming confusion.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] cloudstack pull request: Fixed user_vm_view to only display keypai...
Posted by remibergsma <gi...@git.apache.org>.
Github user remibergsma commented on the pull request:
https://github.com/apache/cloudstack/pull/1006#issuecomment-152306235
Thanks for the fix @nnesic ! Pinging @DaanHoogland @bhaisaab to review.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---