GitHub user wido opened a pull request:
https://github.com/apache/cloudstack/pull/2046
CLOUDSTACK-7958: Add configuration for limit to CIDRs for Admin API calls
The global setting 'management.admin.cidr' is set to 0.0.0.0/0,::/0
by default preserve the current behavior and thus allow API calls
for Admin accounts from all IPv4 and IPv6 subnets.
Users can set it to a comma-separated list of IPv4/IPv6 subnets to
restrict API calls for Admin accounts to certain parts of their network(s).
This is to improve Security. Should a attacker steal the Access/Secret key
of a Admin account he/she still needs to be in a subnet from where Admin
accounts
are allowed to perform API calls.
This is a good security measure for APIs which are connected to the public
internet.
This PR also includes a commit to cleanup and improve NetUtils.
No existing methods have been altered. That has been verified by adding
additional Unit Tests for this.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/wido/cloudstack admin-cidr
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/cloudstack/pull/2046.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #2046
----
commit 770b0bdd4f20deefcb11d9c7b7713e06e3281e8e
Author: Wido den Hollander <[email protected]>
Date: 2017-04-13T15:23:24Z
Cleanup and Improve NetUtils
This class had many unused methods, inconsistent names and redundant code.
This commit cleans up code, renames a few methods and constants.
Methods were renamed to clearly show that they are for IPv4 or IPv6.
Tests were improved and added to test the changes that were made to the
code.
Signed-off-by: Wido den Hollander <[email protected]>
commit fb6ab51ba384cb2ae3eed788f3c241b4c28c9bf5
Author: Wido den Hollander <[email protected]>
Date: 2017-04-13T15:23:36Z
CLOUDSTACK-7958: Add configuration for limit to CIDRs
The global setting 'management.admin.cidr' is set to 0.0.0.0/0,::/0
by default preserve the current behavior and thus allow API calls
for Admin accounts from all IPv4 and IPv6 subnets.
Users can set it to a comma-separated list of IPv4/IPv6 subnets to
restrict API calls for Admin accounts to certain parts of their network(s).
This is to improve Security. Should a attacker steal the Access/Secret key
of a Admin account he/she still needs to be in a subnet from where Admin
accounts
are allowed to perform API calls.
This is a good security measure for APIs which are connected to the public
internet.
Signed-off-by: Wido den Hollander <[email protected]>
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
