You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cloudstack.apache.org by "Demetrius Tsitrelis (JIRA)" <ji...@apache.org> on 2014/06/25 02:03:27 UTC

[jira] [Commented] (CLOUDSTACK-3342) Object_Store_Refactor - S3 "Secret Key" must not be visible in the UI after S3 Object store creation.

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-3342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14042868#comment-14042868 ] 

Demetrius Tsitrelis commented on CLOUDSTACK-3342:
-------------------------------------------------

This is a poor security practice.  It was Amazon which provided him his secret key - NOT CloudStack.  What is the use case for an "admin" (who actually be a shoulder-surfer) seeing the S3 secret key?

Further, in addition to changing the UI we should also remove the secret key from response to the underlying CloudStack API.

> Object_Store_Refactor - S3 "Secret Key" must not be visible in the UI after S3 Object store creation.
> -----------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-3342
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-3342
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: UI
>    Affects Versions: 4.2.0
>            Reporter: Thomas O'Dowd
>            Assignee: Min Chen
>              Labels: s3, security
>
> 1. Login to a freshly deployed devcloud server. 
> 2. Click Infrastructure 
> 3. Click secondary Storage 
> 4. Remove NFS 
> 5. Add new S3 Secondary Storage (anything will do for this bug as its a display bug)
> 6. Re-visit secondary storage and click on the S3 storage you created.
> Expectation:
> You can NOT see the "secret key". 
> Actual:
> You can see all the details of the S3 object store including the "secret key".
> The secret key is like a password. Anyone knowing the secret key can upload/delete etc from the S3 store. It should not be available easily in my opinion. I guess its easily available in the database anyway but lets keep it out of the browser after its been input. It can be displayed using ***.



--
This message was sent by Atlassian JIRA
(v6.2#6252)