Yup. Prachi and Likitha are working on breaking them down into end user and admin. Admin gets moved to another endpoint. We're exploring right now.
I'll ask them to send out the details once they have the prototype. --Alex > -----Original Message----- > From: Chiradeep Vittal > Sent: Friday, October 26, 2012 9:53 AM > To: CloudStack DeveloperList; Alex Huang > Subject: Re: Is there anyway to block root admin APIs on WAF? > > This sounds like an excellent idea. Could you raise an enhancement request. > I do remember someone talking about moving all admin level APIs to a > separate webapp. > Alex? > > On 10/25/12 3:47 PM, "Clement Chen" <[email protected]> wrote: > > >I am wondering whether there is an easy way to block high privilege > >APIs on WAF. For example, for security reasons customers might want to > >block remote access to root admin APIs or limit access to domain admin > >APIs to certain IP addresses. > > > >It can be easily done on WAF if we have separate API endpoints for root > >admin/domain admin/end user APIs. For example, in case of VMWare > vCloud > >Director, APIs accessible only to system admins are under > >http://hostname/cloud/api/1.0/admin/extension and this can be easily > >blocked on a WAF. > > > >Our API is not pure REST API and we do not have separate endpoints. Is > >there any easy way to block high privilege APIs other than blocking the > >commands one by one in the WAF? > > > >Thanks. > > > >-Clement
