[
https://issues.apache.org/jira/browse/CLOUDSTACK-3030?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13685040#comment-13685040
]
Thomas O'Dowd commented on CLOUDSTACK-3030:
-------------------------------------------
An after thought. I'm not sure how well supported the "Query String Request
Authentication" (QSRA) is in non-AWS (and non-Cloudian) S3 object stores so
perhaps this needs to be configurable. QSRA should be the default approach
though to keep templates and other objects in the correct hands.
> Object_Store_Refactor - Download template from S3 should not set template to
> public-readable.
> ---------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-3030
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-3030
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Template
> Environment: latest object_store branch on fedora 17
> devcloud on same machine
> Cloudian (for S3 services) on separate machine. (expect similar result with
> other S3 object stores).
> Reporter: Thomas O'Dowd
>
> This is a security issue in my opinion.
> When you upload a template to S3 secondary storage and then try to download
> it, Cloudstack changes the permission on the S3 object to the canned acl
> "public-read" and then displays the url in a popup which the user can click
> on to download the template.
> Using "public-read" is bad because it means that anyone who knows the S3
> object name can now download the template. Instead of using using the
> canned-acl "public-read", I recommend using "Query String Request
> Authentication Alternative" which is described at the following url:
> http://docs.aws.amazon.com/AmazonS3/2006-03-01/dev/RESTAuthentication.html#RESTAuthenticationQueryStringAuth
> This allows Cloudstack to generate a unique short lived url for the user to
> download the template while keeping the template private in the S3 object
> store.
> Steps:
> 1. setup S3 object storage (can be amazon)
> 2. Add S3 as secondary storage in Cloudstack.
> 3. Upload a new template (I uploaded "tinyLinux.vhd.gz" by giving a url on my
> local network where I had it hosted)
> 4. Try to download the template.
> When you download the gui, you can check the ACL of the template object and
> see that it can be downloaded by anyone. If you check the XML of the response
> you should find the following grant.
> ====== Partial XML showing S3 object has public read access =====
> <Grant>
> <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="Group">
> <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
> </Grantee><Permission>READ</Permission>
> </Grant>
> ====== end of XML showing S3 object has public read access =====
> The canned-acl "public-read" is applied to the template in a separate
> operation when you click to download the template using a PUT Object ACL
> request.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
