You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2014/07/24 02:48:38 UTC
[jira] [Commented] (CLOUDSTACK-7175) Domain Id is exposed in error
message when cross domain access is attempted when listing Vms.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7175?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14072646#comment-14072646 ]
ASF subversion and git services commented on CLOUDSTACK-7175:
-------------------------------------------------------------
Commit e6ead3176c2132d38283dc404ae601506e278a34 in cloudstack's branch refs/heads/master from [~minchen07]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=e6ead31 ]
CLOUDSTACK-7175:Domain Id is exposed in error message when cross domain
access is attempted when listing Vms.
> Domain Id is exposed in error message when cross domain access is attempted when listing Vms.
> ---------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-7175
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7175
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the default.)
> Components: IAM
> Affects Versions: 4.2.0
> Reporter: Min Chen
> Assignee: Min Chen
> Priority: Critical
> Fix For: 4.5.0
>
>
> Domain Id is exposed in error message when cross domain access is attempted when listing Vms.
> Steps to reproduce the problem:
> Following listVirtualMachines when passing a domain Id that the caller does not have access permissions that exposes domain Id. In such cases , only uuid of the domain should be presented to the user:
> Scenario 1:
> GET http://<ip>/client/api?command=listVirtualMachines&domainId=ac6dfd54-c1ad-401d-8bbf-de1c77795a60&account=testD1-TestVMList-GEFMGD&listAll=true&apiKey=Hv0VKnmBjXhyRMKZ7ixI51gG-iqHqRVTp1xCCLU2-gTnZwhuUNWsa4zZLYZWWLD5lEhvwe05tJKJVa9NeS5REw&signature=UtajpNj839fVNm8tZkNMdJJoRCM%3D \n\n
> current Time: Fri Apr 11 11:01:23 PDT 2014
> <?xml version="1.0" encoding="UTF-8"?><listvirtualmachinesresponse cloud-stack-version="4.4.0-SNAPSHOT"><errorcode>431</errorcode><cserrorcode>4350</cserrorcode><errortext>could not find account testD1-TestVMList-GEFMGD in domain ac6dfd54-c1ad-401d-8bbf-de1c77795a60</errortext></listvirtualmachinesresponse>Connection to 10.223.49.6 8080 port [tcp/webcache] succeeded!
> GET http://<ip>/client/api?command=listVirtualMachines&domainId=ca50d169-bbb2-4f2d-b61a-963151ade5ed&account=testD1-TestVMList-GEFMGD&listAll=true&apiKey=Hv0VKnmBjXhyRMKZ7ixI51gG-iqHqRVTp1xCCLU2-gTnZwhuUNWsa4zZLYZWWLD5lEhvwe05tJKJVa9NeS5REw&signature=gMDWL4B7jI%2Bm5sDlR47atlJlMao%3D \n\n
> current Time: Fri Apr 11 11:01:23 PDT 2014
> <?xml version="1.0" encoding="UTF-8"?><listvirtualmachinesresponse cloud-stack-version="4.4.0-SNAPSHOT"><errorcode>531</errorcode><cserrorcode>4365</cserrorcode><errortext>Acct[c913ca88-30de-4ce7-9160-cce514314e4f-testD1-TestVMList-3VK254] does not have permission to operate within domain id=9</errortext></listvirtualmachinesresponse>Connection to 10.223.49.6 8080 port [tcp/webcache] succeeded!
> GET http://<ip>/client/api?command=listVirtualMachines&domainId=ca50d169-bbb2-4f2d-b61a-963151ade5ed&listAll=true&apiKey=Hv0VKnmBjXhyRMKZ7ixI51gG-iqHqRVTp1xCCLU2-gTnZwhuUNWsa4zZLYZWWLD5lEhvwe05tJKJVa9NeS5REw&signature=nvUKFsegTkIhdPH39%2BulAYjiCac%3D \n\n
> current Time: Fri Apr 11 11:01:21 PDT 2014
> <?xml version="1.0" encoding="UTF-8"?><listvirtualmachinesresponse cloud-stack-version="4.4.0-SNAPSHOT"><errorcode>531</errorcode><cserrorcode>4365</cserrorcode><errortext>Acct[cf5d6b37-4e26-406c-9b32-15bc3bf71095-testD1-TestVMList-3VK254] does not have permission to operate within domain id=9</errortext></listvirtualmachinesresponse>Connection to 10.223.49.6 8080 port [tcp/webcache] succeeded!
--
This message was sent by Atlassian JIRA
(v6.2#6252)