[ https://issues.apache.org/jira/browse/CLOUDSTACK-3342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13699658#comment-13699658 ]
Min Chen commented on CLOUDSTACK-3342: -------------------------------------- I don't think that this is an issue at all. This Infrastructure page UI is only available to cloud admin, who is the person who set up S3 secondary storage, so he/she already knows S3 secret key. Hiding or not hiding it will make no difference. This UI will not be visible to end users, so should not expose security issue. > Object_Store_Refactor - S3 "Secret Key" must not be visible in the UI after > S3 Object store creation. > ----------------------------------------------------------------------------------------------------- > > Key: CLOUDSTACK-3342 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-3342 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: UI > Affects Versions: 4.2.0 > Reporter: Thomas O'Dowd > Assignee: Min Chen > Labels: s3, security > > 1. Login to a freshly deployed devcloud server. > 2. Click Infrastructure > 3. Click secondary Storage > 4. Remove NFS > 5. Add new S3 Secondary Storage (anything will do for this bug as its a > display bug) > 6. Re-visit secondary storage and click on the S3 storage you created. > Expectation: > You can NOT see the "secret key". > Actual: > You can see all the details of the S3 object store including the "secret key". > The secret key is like a password. Anyone knowing the secret key can > upload/delete etc from the S3 store. It should not be available easily in my > opinion. I guess its easily available in the database anyway but lets keep it > out of the browser after its been input. It can be displayed using ***. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira