On Thu, Mar 28, 2013 at 01:33:15PM +0000, Murali Reddy wrote: > On 27/03/13 9:49 PM, "Chip Childers" <chip.child...@sungard.com> wrote: > > >On Wed, Mar 27, 2013 at 03:39:25PM +0000, Murali Reddy wrote: > >> On 27/03/13 8:04 PM, "Chip Childers" <chip.child...@sungard.com> wrote: > >> > >> > > >> >Murali Reddy - > >> > CLOUDSTACK-1673 AWS Regions - Events - User disable event does not > >> >include the UUID of the user that was disabled. > >> > > >> > Murali, you mentioned that you were working on a fix for this. You > >> > happened to note that you would have it by the 20th. Having any > >>luck? > >> > >> > >> Sorry on the delay. Though I have fix ready, I can not fully test it > >> because most of the events are not generated due to bug CLOUDSTACK-1664. > >> Moreover I do not think its critical bug. I have left below comment in > >>the > >> bug and marked as major. I can fix this bug if required only after fix > >>for > >> CLOUDSTACK-1664 is checked-in. > >> > >> "Do not think its critical issue in the context of Regions. While > >>syncing > >> account/user/domain information across the regions using event bus is > >>just > >> one implementation option. User provisioning system's like portals can > >> directly create account/user/domains across regions with out need of > >>event > >> bus. > >> > >> Even if one uses event bus, there are other implementation options with > >> which once achieve this. For eg, when User/Account/Domain create event > >> occurs, consumers can query list of account/domain/accounts details in > >>the > >> region which generated the event and figure the details of new object > >> created." > >> > > > >Thanks for the reply. Assuming that Kelvin's patch for 1664 is actually > >in the > >set of fixes I already applied to 4.1, does that mean that you can test > >and resolve 1673 now? I see your point about this not being the only > >implementation model for regions, but it is the one that's being > >included as the reference approach for 4.1. Not syncing a disable event > >sounds like a potential security hole. > > > >Unless anyone objects, and based on the logic above, I'd still consider > >1673 as a critical fix for 4.1. > > > >-chip > > > > Ok, I can fix bug 1673 for 4.1 but I do not see any security issue with > 1673. There bug is about the events published on the event bus, does not > have specific information (UUID) on which user/account action is taken. > Did you mean issue reported in 1664 is security issue? There are no events > generated at all by CloudStack for account enable etc. > > On 1673, I wasted some time testing this issue on master, looks like > changes for CLOUDSTACK-1664 are not in master yet. I will test with 4.1, > and see if I can close this bug by EOD today.
It's possible that I'm misinterpreting the effect of 1673, specifically I assumed that it meant that a user/account being disabled in one region wouldn't propagate to the other region(s). If that's not the case, then this may certainly be a nice to have. I defer to your judgement, but in either case a fix would be great... ;-) -chip
