You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Fabrice Brazier <fa...@apalia.net> on 2012/11/15 11:55:25 UTC
Forbid direct API connection
Hi Folks,
Is there a way to disable the API connection on a management server ?
I don’t want to allow api request from internet.
Thanks,
Fabrice
--
Fabrice Brazier
*Apalia*™*
*FR: +33-632-73-53-00
*http://www.apalia.net
fabrice.brazier@apalia.net*
RE: Forbid direct API connection
Posted by "Musayev, Ilya" <im...@webmd.net>.
Fabrice
Are you using port 8080 or 8096 for API calls?
If its 8096 - you can setup iptable rules to allow only incoming connection from x host.
Regards
ilya
-----Original Message-----
From: Geoff Higginbottom [mailto:geoff.higginbottom@shapeblue.com]
Sent: Thursday, November 15, 2012 7:33 AM
To: cloudstack-users@incubator.apache.org
Subject: RE: Forbid direct API connection
Hi Fabrice,
As an admin, you can provision a new VM for a specific account, the user does not need an API / Secret Key. You will be using the Admin Account API /Secret Key or the Unauthenticated Port which requires no keys.
If you have to do it at account level, you could simply create a user within each account which has the API / Secret Keys enabled, but only known to yourself, but I don’t believe this is required as the Root Admin can do most things on behalf of any account.
Regards
Geoff
-----Original Message-----
From: Fabrice Brazier [mailto:fabrice.brazier@apalia.net]
Sent: 15 November 2012 11:11
To: cloudstack-users@incubator.apache.org
Subject: RE: Forbid direct API connection
Hi Geoff,
I have two management server and I want to allow API connection only on the second management server.
I need the secret key and the API key for each account. E.g. I want to provision a new VM for the end-user through the API (from the second management server)
Regards
Fabrice
-----Message d'origine-----
De : Geoff Higginbottom [mailto:geoff.higginbottom@shapeblue.com]
Envoyé : jeudi 15 novembre 2012 11:59
À : cloudstack-users@incubator.apache.org
Objet : RE: Forbid direct API connection
Hi Fabrice,
If users do not have a Secret Key and API key then they cannot use the API.
You could use a SQL Query to go through and remove all Keys. Admins could still use the unauthenticated API Port, obviously on a random port for enhanced security.
Regards
Geoff
-----Original Message-----
From: Fabrice Brazier [mailto:fabrice.brazier@apalia.net]
Sent: 15 November 2012 10:55
To: cloudstack-users@incubator.apache.org
Subject: Forbid direct API connection
Hi Folks,
Is there a way to disable the API connection on a management server ?
I don’t want to allow api request from internet.
Thanks,
Fabrice
--
Fabrice Brazier
*Apalia*™*
*FR: +33-632-73-53-00
*http://www.apalia.net
fabrice.brazier@apalia.net*
ShapeBlue provides a range of strategic and technical consulting and implementation services to help IT Service Providers and Enterprises to build a true IaaS compute cloud. ShapeBlue’s expertise, combined with CloudStack technology, allows IT Service Providers and Enterprises to deliver true, utility based, IaaS to the customer or end-user.
________________________________
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales.
ShapeBlue provides a range of strategic and technical consulting and implementation services to help IT Service Providers and Enterprises to build a true IaaS compute cloud. ShapeBlue’s expertise, combined with CloudStack technology, allows IT Service Providers and Enterprises to deliver true, utility based, IaaS to the customer or end-user.
________________________________
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales.
RE: Forbid direct API connection
Posted by Geoff Higginbottom <ge...@shapeblue.com>.
Hi Fabrice,
As an admin, you can provision a new VM for a specific account, the user does not need an API / Secret Key. You will be using the Admin Account API /Secret Key or the Unauthenticated Port which requires no keys.
If you have to do it at account level, you could simply create a user within each account which has the API / Secret Keys enabled, but only known to yourself, but I don’t believe this is required as the Root Admin can do most things on behalf of any account.
Regards
Geoff
-----Original Message-----
From: Fabrice Brazier [mailto:fabrice.brazier@apalia.net]
Sent: 15 November 2012 11:11
To: cloudstack-users@incubator.apache.org
Subject: RE: Forbid direct API connection
Hi Geoff,
I have two management server and I want to allow API connection only on the second management server.
I need the secret key and the API key for each account. E.g. I want to provision a new VM for the end-user through the API (from the second management server)
Regards
Fabrice
-----Message d'origine-----
De : Geoff Higginbottom [mailto:geoff.higginbottom@shapeblue.com]
Envoyé : jeudi 15 novembre 2012 11:59
À : cloudstack-users@incubator.apache.org
Objet : RE: Forbid direct API connection
Hi Fabrice,
If users do not have a Secret Key and API key then they cannot use the API.
You could use a SQL Query to go through and remove all Keys. Admins could still use the unauthenticated API Port, obviously on a random port for enhanced security.
Regards
Geoff
-----Original Message-----
From: Fabrice Brazier [mailto:fabrice.brazier@apalia.net]
Sent: 15 November 2012 10:55
To: cloudstack-users@incubator.apache.org
Subject: Forbid direct API connection
Hi Folks,
Is there a way to disable the API connection on a management server ?
I don’t want to allow api request from internet.
Thanks,
Fabrice
--
Fabrice Brazier
*Apalia*™*
*FR: +33-632-73-53-00
*http://www.apalia.net
fabrice.brazier@apalia.net*
ShapeBlue provides a range of strategic and technical consulting and implementation services to help IT Service Providers and Enterprises to build a true IaaS compute cloud. ShapeBlue’s expertise, combined with CloudStack technology, allows IT Service Providers and Enterprises to deliver true, utility based, IaaS to the customer or end-user.
________________________________
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales.
ShapeBlue provides a range of strategic and technical consulting and implementation services to help IT Service Providers and Enterprises to build a true IaaS compute cloud. ShapeBlue’s expertise, combined with CloudStack technology, allows IT Service Providers and Enterprises to deliver true, utility based, IaaS to the customer or end-user.
________________________________
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales.
RE: Forbid direct API connection
Posted by Fabrice Brazier <fa...@apalia.net>.
Hi Geoff,
I have two management server and I want to allow API connection only on the
second management server.
I need the secret key and the API key for each account. E.g. I want to
provision a new VM for the end-user through the API (from the second
management server)
Regards
Fabrice
-----Message d'origine-----
De : Geoff Higginbottom [mailto:geoff.higginbottom@shapeblue.com]
Envoyé : jeudi 15 novembre 2012 11:59
À : cloudstack-users@incubator.apache.org
Objet : RE: Forbid direct API connection
Hi Fabrice,
If users do not have a Secret Key and API key then they cannot use the API.
You could use a SQL Query to go through and remove all Keys. Admins could
still use the unauthenticated API Port, obviously on a random port for
enhanced security.
Regards
Geoff
-----Original Message-----
From: Fabrice Brazier [mailto:fabrice.brazier@apalia.net]
Sent: 15 November 2012 10:55
To: cloudstack-users@incubator.apache.org
Subject: Forbid direct API connection
Hi Folks,
Is there a way to disable the API connection on a management server ?
I don’t want to allow api request from internet.
Thanks,
Fabrice
--
Fabrice Brazier
*Apalia*™*
*FR: +33-632-73-53-00
*http://www.apalia.net
fabrice.brazier@apalia.net*
ShapeBlue provides a range of strategic and technical consulting and
implementation services to help IT Service Providers and Enterprises to
build a true IaaS compute cloud. ShapeBlue’s expertise, combined with
CloudStack technology, allows IT Service Providers and Enterprises to
deliver true, utility based, IaaS to the customer or end-user.
________________________________
This email and any attachments to it may be confidential and are intended
solely for the use of the individual to whom it is addressed. Any views or
opinions expressed are solely those of the author and do not necessarily
represent those of Shape Blue Ltd. If you are not the intended recipient of
this email, you must neither take any action based upon its contents, nor
copy or show it to anyone. Please contact the sender if you believe you have
received this email in error. Shape Blue Ltd is a company incorporated in
England & Wales.
RE: Forbid direct API connection
Posted by Geoff Higginbottom <ge...@shapeblue.com>.
Hi Fabrice,
If users do not have a Secret Key and API key then they cannot use the API. You could use a SQL Query to go through and remove all Keys. Admins could still use the unauthenticated API Port, obviously on a random port for enhanced security.
Regards
Geoff
-----Original Message-----
From: Fabrice Brazier [mailto:fabrice.brazier@apalia.net]
Sent: 15 November 2012 10:55
To: cloudstack-users@incubator.apache.org
Subject: Forbid direct API connection
Hi Folks,
Is there a way to disable the API connection on a management server ?
I don’t want to allow api request from internet.
Thanks,
Fabrice
--
Fabrice Brazier
*Apalia*™*
*FR: +33-632-73-53-00
*http://www.apalia.net
fabrice.brazier@apalia.net*
ShapeBlue provides a range of strategic and technical consulting and implementation services to help IT Service Providers and Enterprises to build a true IaaS compute cloud. ShapeBlue’s expertise, combined with CloudStack technology, allows IT Service Providers and Enterprises to deliver true, utility based, IaaS to the customer or end-user.
________________________________
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales.
Re: Forbid direct API connection
Posted by David Nalley <da...@gnsa.us>.
On Thu, Nov 15, 2012 at 5:55 AM, Fabrice Brazier
<fa...@apalia.net> wrote:
> Hi Folks,
>
>
>
> Is there a way to disable the API connection on a management server ?
>
> I don’t want to allow api request from internet.
>
So it's an ugly way of doing things - but don't allow inbound
connections on 8080, and run things through a rev. proxy - and don't
let anything with the path /client/api/ pass
--David