[
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15274102#comment-15274102
]
ASF GitHub Bot commented on CLOUDSTACK-9099:
--------------------------------------------
Github user jburwell commented on a diff in the pull request:
https://github.com/apache/cloudstack/pull/1152#discussion_r62336941
--- Diff: server/src/com/cloud/user/AccountManager.java ---
@@ -198,4 +200,11 @@ void buildACLViewSearchCriteria(SearchCriteria<?
extends ControlledViewEntity> s
public static final String MESSAGE_ADD_ACCOUNT_EVENT =
"Message.AddAccount.Event";
public static final String MESSAGE_REMOVE_ACCOUNT_EVENT =
"Message.RemoveAccount.Event";
+ public static final ConfigKey<Boolean> UseSecretKeyInResponse = new
ConfigKey<Boolean>(
+ "Advanced",
+ Boolean.class,
+ "use.secret.key.in.response",
+ "true",
--- End diff --
@kansal I agree with @DaanHoogland and @remibergsma -- it's about
reasonable and secure defaults. We should not configure a management server
insecurely by default.
> SecretKey is returned from the APIs
> -----------------------------------
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Reporter: Kshitij Kansal
> Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
