[
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15080496#comment-15080496
]
ASF GitHub Bot commented on CLOUDSTACK-9099:
--------------------------------------------
Github user DaanHoogland commented on the pull request:
https://github.com/apache/cloudstack/pull/1152#issuecomment-168527559
@kansal I don't agree that making noise first is the way to go. We should
disable the return of the key first and document it. Security demands that we
play it that way. We can allow users to enable this insecure bahaviour by
setting a flag somewhere but it should not be default and catch the unaware
users of guard. It will be work in the integration tests but that just will
have to happen.
> SecretKey is returned from the APIs
> -----------------------------------
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Reporter: Kshitij Kansal
> Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
