[jira] [Commented] (CLOUDSTACK-3323) [Object_Store_Refactor] URL provided by extract template command should not contain AccessKeyId

[Min Chen (JIRA)]

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-3323?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13711890#comment-13711890
 ] 

Min Chen commented on CLOUDSTACK-3323:
--------------------------------------

This is actually ok based on community discussion. Here is a much better 
explanation from Thomas O'Dowd from S3 vendor Cloudian:

"Its ok security wise. This link uses query string authentication. 
The AK is needed to identify the S3 user to the Object Store (AWS,
Cloudian, Riak, etc). The request is made up of the method 'GET', the
URI and a timestamp when the request expires. All of this is then signed
using the SK and the result is the signature query parameter. The
specific URL allows any user with that URL access to GET that particular
object as that user for a limited period of time. In the current case,
the URL is valid for 1 hour. There is no server-side cost to these URLs."

Also another comment from John Burwell regarding security practice on S3: 
"CloudStack does not need to be manipulating ACLs or other administrative 
features.  Therefore, we should add documentation to advise users that to limit 
the impact of a credential exposure, they should create a dedicated credential 
set with access to only the CloudStack associated bucket."
                
> [Object_Store_Refactor] URL provided by extract template command should not 
> contain AccessKeyId
> -----------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-3323
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-3323
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: Management Server
>    Affects Versions: 4.2.0
>         Environment: Latest build from master branch
>            Reporter: Sanjeev N
>            Assignee: Min Chen
>            Priority: Critical
>             Fix For: 4.2.0
>
>
> Extract template command on a template which is stored in S3 bucket provides 
> the URL in the following format:
>  Pre-Signed URL = 
> http://10.147.29.57:8080/imagestore/template%2Ftmpl%2F1%2F5%2Fcentos56-x86_64-xen%2Fcentos56-x86_64.vhd.bz2?Expires=1372787604&AWSAccessKeyId=9M7I6JPYZHDNLG43TWCD&Signature=lP%2BwQtqY6E%2B3qWQR3ZKIE4wIEHY%3D
> The URL provided to download the template contains AccessKeyId of the S3 
> bucket but it should not be exposed to the CS User.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira