I've had such discussions before and I've tried to fix this but could justify properly as there could be other layers who may want to directly exploit CloudStack's APIs for example a business/billing/management layer. I think for security's sake among many ways -- move this behaviour out as a plugin which is disabled by default (so admins can decided whether to turn on or off) and/or restrict listening on localhost/loopback for this port.
Regards. On Wed, Sep 4, 2013 at 11:19 PM, Darren Shepherd < darren.s.sheph...@gmail.com> wrote: > Why do we need an unauthenticated backdoor? Is there any chance we can > just get rid of that entry point to CloudStack? > > Darren >