On 27/03/13 9:49 PM, "Chip Childers" <chip.child...@sungard.com> wrote:
>On Wed, Mar 27, 2013 at 03:39:25PM +0000, Murali Reddy wrote: >> On 27/03/13 8:04 PM, "Chip Childers" <chip.child...@sungard.com> wrote: >> >> > >> >Murali Reddy - >> > CLOUDSTACK-1673 AWS Regions - Events - User disable event does not >> >include the UUID of the user that was disabled. >> > >> > Murali, you mentioned that you were working on a fix for this. You >> > happened to note that you would have it by the 20th. Having any >>luck? >> >> >> Sorry on the delay. Though I have fix ready, I can not fully test it >> because most of the events are not generated due to bug CLOUDSTACK-1664. >> Moreover I do not think its critical bug. I have left below comment in >>the >> bug and marked as major. I can fix this bug if required only after fix >>for >> CLOUDSTACK-1664 is checked-in. >> >> "Do not think its critical issue in the context of Regions. While >>syncing >> account/user/domain information across the regions using event bus is >>just >> one implementation option. User provisioning system's like portals can >> directly create account/user/domains across regions with out need of >>event >> bus. >> >> Even if one uses event bus, there are other implementation options with >> which once achieve this. For eg, when User/Account/Domain create event >> occurs, consumers can query list of account/domain/accounts details in >>the >> region which generated the event and figure the details of new object >> created." >> > >Thanks for the reply. Assuming that Kelvin's patch for 1664 is actually >in the >set of fixes I already applied to 4.1, does that mean that you can test >and resolve 1673 now? I see your point about this not being the only >implementation model for regions, but it is the one that's being >included as the reference approach for 4.1. Not syncing a disable event >sounds like a potential security hole. > >Unless anyone objects, and based on the logic above, I'd still consider >1673 as a critical fix for 4.1. > >-chip > Ok, I can fix bug 1673 for 4.1 but I do not see any security issue with 1673. There bug is about the events published on the event bus, does not have specific information (UUID) on which user/account action is taken. Did you mean issue reported in 1664 is security issue? There are no events generated at all by CloudStack for account enable etc. On 1673, I wasted some time testing this issue on master, looks like changes for CLOUDSTACK-1664 are not in master yet. I will test with 4.1, and see if I can close this bug by EOD today.