[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF subversion and git services (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16038538#comment-16038538
 ] 

ASF subversion and git services commented on CLOUDSTACK-9099:
-

Commit 68d50fbfd86dae20ff1b78e7a054b0fdee2605d7 in cloudstack's branch 
refs/heads/master from [~rajanik]
[ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=68d50fb ]

Merge pull request #1996 from Accelerite/secretkey

CLOUDSTACK-9099: SecretKey is returned from the APIs

> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Affects Versions: 4.9.0
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
> Fix For: 4.10.0.0, 4.9.3.0
>
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF subversion and git services (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16038534#comment-16038534
 ] 

ASF subversion and git services commented on CLOUDSTACK-9099:
-

Commit 87cf33ac5cf7de1537f6b0c9cf752fd12a7a1e32 in cloudstack's branch 
refs/heads/master from Jayapal
[ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=87cf33a ]

CLOUDSTACK-9099: Added a separate API to apikey and secretkey


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Affects Versions: 4.9.0
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
> Fix For: 4.10.0.0, 4.9.3.0
>
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15968620#comment-15968620
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user jayapalu commented on the issue:

https://github.com/apache/cloudstack/pull/1996
  
In the travis ci the tests are failing it could be because of timeout. But 
when I run some of the test locally it is passing. 

The same test test_invalid_gw_nm  is failing in travis ci.


=my local xenserver setup test run ==
nosetests-2.7 --with-marvin 
--marvin-config=/Users/jayapal_uradi/dev/advanced.cfg --with-xunit  
--xunit-file=/tmp/test/testslog 
/Users/jayapal_uradi/dev/github/cloudstack/test/integration/component/test_invalid_gw_nm.py
 --zone=zone1 --hypervisor=xenserver

 Marvin Init Started 

=== Marvin Parse Config Successful ===

=== Marvin Setting TestData Successful===

 Log Folder Path: /tmp//MarvinLogs//Apr_14_2017_10_30_49_WKRPUW. All 
logs will be available here 

=== Marvin Init Logging Successful===

 Marvin Init Successful 
===final results are now copied to: 
/tmp//MarvinLogs/test_invalid_gw_nm_XQRFQU===
HSL007948:cloudstack jayapal_uradi$ vi 
/tmp//MarvinLogs/test_invalid_gw_nm_XQRFQU/
failed_plus_exceptions.txt  results.txt runinfo.txt 

HSL007948:cloudstack jayapal_uradi$ vi 
/tmp//MarvinLogs/test_invalid_gw_nm_XQRFQU/results.txt 
HSL007948:cloudstack jayapal_uradi$ cat  
/tmp//MarvinLogs/test_invalid_gw_nm_XQRFQU/results.txt 
test_isolated_nw_invalid_gw 
(integration.component.test_invalid_gw_nm.TestIsolatedNetworkInvalidGw) ... === 
TestName: test_isolated_nw_invalid_gw | Status : SUCCESS ===
ok

--
Ran 1 test in 5.837s

OK
== End of my local setup test run ==


https://travis-ci.org/apache/cloudstack/jobs/221647779

The command ./tools/travis/script.sh component/test_cpu_max_limits 
component/test_cpu_project_limits component/test_deploy_vm_userdata_multi_nic 
component/test_egress_fw_rules component/test_invalid_gw_nm 
component/test_ip_reservation component/test_lb_secondary_ip exited with 1

ContextSuite context=TestIsolatedNetw | exceptions.T | 0  | 
test_invalid_gw_nm   |
| orkInvalidGw>:setup   | ypeError ||   
 
  


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Affects Versions: 4.9.0
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
> Fix For: 4.10.0.0, 4.9.3.0
>
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15965800#comment-15965800
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user jayapalu commented on the issue:

https://github.com/apache/cloudstack/pull/1996
  
@koushik-das  I have updated for your review comments.


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Affects Versions: 4.9.0
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
> Fix For: 4.10.0.0, 4.9.3.0
>
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15965487#comment-15965487
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user koushik-das commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1996#discussion_r111075076
  
--- Diff: 
api/src/org/apache/cloudstack/api/command/admin/user/GetUserKeysCmd.java ---
@@ -0,0 +1,76 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.api.command.admin.user;
+
+
+import com.cloud.user.Account;
+import com.cloud.user.User;
+import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.response.RegisterResponse;
+import org.apache.cloudstack.api.response.UserResponse;
+
+import java.util.List;
+import java.util.logging.Logger;
+
+@APICommand(name = "getUserKeys",
+description = "This command allows the user to query the 
seceret and API keys for the account",
+responseObject = RegisterResponse.class,
+requestHasSensitiveInfo = false,
+responseHasSensitiveInfo = true,
+authorized = {RoleType.User})
--- End diff --

Can you add the 'since' parameter? 


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Affects Versions: 4.9.0
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
> Fix For: 4.10.0.0, 4.9.3.0
>
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15965488#comment-15965488
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user koushik-das commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1996#discussion_r111075302
  
--- Diff: 
api/src/org/apache/cloudstack/api/command/admin/user/GetUserKeysCmd.java ---
@@ -0,0 +1,76 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.api.command.admin.user;
+
+
+import com.cloud.user.Account;
+import com.cloud.user.User;
+import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.response.RegisterResponse;
+import org.apache.cloudstack.api.response.UserResponse;
+
+import java.util.List;
+import java.util.logging.Logger;
+
+@APICommand(name = "getUserKeys",
+description = "This command allows the user to query the 
seceret and API keys for the account",
+responseObject = RegisterResponse.class,
+requestHasSensitiveInfo = false,
+responseHasSensitiveInfo = true,
+authorized = {RoleType.User})
+
+public class GetUserKeysCmd extends BaseCmd{
+
+@Parameter(name= ApiConstants.ID, type = CommandType.UUID, entityType 
= UserResponse.class, required = true, description = "ID of the user whose keys 
are required")
+private Long id;
+
+public static final Logger s_logger = 
Logger.getLogger(RegisterCmd.class.getName());
+public static final String s_name = "getuserkeysresponse";
+
+public Long getID(){
+return id;
+}
+
+public String getCommandName(){
+return s_name;
+}
+
+public long getEntityOwnerId(){
+User user = _entityMgr.findById(User.class, getID());
+if(user != null){
+return user.getAccountId();
+}
+else return Account.ACCOUNT_ID_SYSTEM;
+}
+public void execute(){
+List keys = _accountService.getKeys(this);
+RegisterResponse response = new RegisterResponse();
+if(keys != null){
+response.setApiKey(keys.get(0));
+response.setSecretKey(keys.get(1));
+}
+
+response.setObjectName("listkeys");
--- End diff --

Should this be 'userKeys'?


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Affects Versions: 4.9.0
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
> Fix For: 4.10.0.0, 4.9.3.0
>
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15965486#comment-15965486
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user koushik-das commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1996#discussion_r111078382
  
--- Diff: server/src/com/cloud/api/ApiDBUtils.java ---
@@ -559,6 +561,8 @@
 @Inject
 private VpcManager vpcMgr;
 @Inject
+private AccountManager accountManager;
--- End diff --

Why there is a need to inject AccountManager? If the config key is a static 
it can be accessed as AccountManager.


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Affects Versions: 4.9.0
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
> Fix For: 4.10.0.0, 4.9.3.0
>
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15960396#comment-15960396
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user rhtyd commented on the issue:

https://github.com/apache/cloudstack/pull/1996
  
@jayapalu can you push -f to kick Travis?


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Affects Versions: 4.9.0
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
> Fix For: 4.10.0.0, 4.9.3.0
>
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15960384#comment-15960384
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user jayapalu commented on the issue:

https://github.com/apache/cloudstack/pull/1996
  
It seems there is issue in CI due to that test are failing. 


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Affects Versions: 4.9.0
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
> Fix For: 4.10.0.0, 4.9.3.0
>
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15956349#comment-15956349
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user kishankavala commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1996#discussion_r109835294
  
--- Diff: server/src/com/cloud/user/AccountManager.java ---
@@ -198,4 +200,11 @@ void buildACLViewSearchCriteria(SearchCriteria s
 public static final String MESSAGE_ADD_ACCOUNT_EVENT = 
"Message.AddAccount.Event";
 
 public static final String MESSAGE_REMOVE_ACCOUNT_EVENT = 
"Message.RemoveAccount.Event";
+public static final ConfigKey UseSecretKeyInResponse = new 
ConfigKey(
+"Advanced",
+Boolean.class,
+"use.secret.key.in.response",
+"true",
--- End diff --

As per discussion in PR # 1152, default value should be false. Any failing 
tests due to this change have to be fixed.


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Affects Versions: 4.9.0
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
> Fix For: 4.10.0.0, 4.9.3.0
>
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15954666#comment-15954666
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user jayapalu commented on the issue:

https://github.com/apache/cloudstack/pull/1996
  
@rhtyd   Once this PR got the LGTMs, I can rebase it on 4.9. Can you please 
review this PR


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Affects Versions: 4.9.0
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
> Fix For: 4.10.0.0, 4.9.3.0
>
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15944724#comment-15944724
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user rhtyd commented on the issue:

https://github.com/apache/cloudstack/pull/1996
  
@jayapalu this is a useful security fix for 4.9 as well, can you please 
rebase against the 4.9 branch and edit the base branch of the PR to 4.9?


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15902776#comment-15902776
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


GitHub user jayapalu opened a pull request:

https://github.com/apache/cloudstack/pull/1996

CLOUDSTACK-9099: SecretKey is returned from the APIs

This PR closes the PR #1152 


You can merge this pull request into a Git repository by running:

$ git pull https://github.com/Accelerite/cloudstack secretkey

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/cloudstack/pull/1996.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #1996






> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15274111#comment-15274111
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1152#discussion_r62337172
  
--- Diff: server/test/com/cloud/user/MockAccountManagerImpl.java ---
@@ -401,5 +403,24 @@ public Long finalyzeAccountId(String accountName, Long 
domainId, Long projectId,
 return null;
 }
 
+@Override
+public List getKeys(GetUserKeysCmd cmd) {
+return null;
+}
+
+@Override
+public void checkAccess(User user, ControlledEntity entity)
+throws PermissionDeniedException {
+
+}
+@Override
+public String getConfigComponentName() {
+return null;
+}
+
+@Override
+public ConfigKey[] getConfigKeys() {
+return null;
--- End diff --

Please return an empty array to avoid NPEs.


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15274108#comment-15274108
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1152#discussion_r62337077
  
--- Diff: server/test/com/cloud/user/MockAccountManagerImpl.java ---
@@ -401,5 +403,24 @@ public Long finalyzeAccountId(String accountName, Long 
domainId, Long projectId,
 return null;
 }
 
+@Override
+public List getKeys(GetUserKeysCmd cmd) {
+return null;
--- End diff --

Please return a ``Collections.emptyList()`` to avoid NPEs.


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15274109#comment-15274109
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1152#discussion_r62337130
  
--- Diff: server/test/com/cloud/user/MockAccountManagerImpl.java ---
@@ -401,5 +403,24 @@ public Long finalyzeAccountId(String accountName, Long 
domainId, Long projectId,
 return null;
 }
 
+@Override
+public List getKeys(GetUserKeysCmd cmd) {
+return null;
+}
+
+@Override
+public void checkAccess(User user, ControlledEntity entity)
+throws PermissionDeniedException {
+
+}
+@Override
+public String getConfigComponentName() {
+return null;
--- End diff --

Please return a blank string to avoid NPEs.


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15274102#comment-15274102
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1152#discussion_r62336941
  
--- Diff: server/src/com/cloud/user/AccountManager.java ---
@@ -198,4 +200,11 @@ void buildACLViewSearchCriteria(SearchCriteria s
 public static final String MESSAGE_ADD_ACCOUNT_EVENT = 
"Message.AddAccount.Event";
 
 public static final String MESSAGE_REMOVE_ACCOUNT_EVENT = 
"Message.RemoveAccount.Event";
+public static final ConfigKey UseSecretKeyInResponse = new 
ConfigKey(
+"Advanced",
+Boolean.class,
+"use.secret.key.in.response",
+"true",
--- End diff --

@kansal I agree with @DaanHoogland and @remibergsma -- it's about 
reasonable and secure defaults.  We should not configure a management server 
insecurely by default.


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15274101#comment-15274101
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1152#discussion_r62336714
  
--- Diff: 
api/src/org/apache/cloudstack/api/command/admin/user/GetUserKeysCmd.java ---
@@ -0,0 +1,74 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.api.command.admin.user;
+
+
+import com.cloud.user.Account;
+import com.cloud.user.User;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.response.RegisterResponse;
+import org.apache.cloudstack.api.response.UserResponse;
+
+import java.util.List;
+import java.util.logging.Logger;
+
+@APICommand(name = "getUserKeys",
+description = "This command allows the user to query the 
seceret and API keys for the account",
+responseObject = RegisterResponse.class,
+requestHasSensitiveInfo = false,
+responseHasSensitiveInfo = true)
--- End diff --

Please add the version annotation to indicate that this command was added 
for 4.9.


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15266461#comment-15266461
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user kansal commented on the pull request:

https://github.com/apache/cloudstack/pull/1152#issuecomment-216217062
  
@DaanHoogland  sure. Will rebase and keep the default value to false. 


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15266455#comment-15266455
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user DaanHoogland commented on the pull request:

https://github.com/apache/cloudstack/pull/1152#issuecomment-216215437
  
@kansal please go ahead and remove the key from the response. We'll test 
run it and add fixes to tests if needed. (cc @rhtyd my last comment is still 
valid)


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15266416#comment-15266416
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user rhtyd commented on the pull request:

https://github.com/apache/cloudstack/pull/1152#issuecomment-216206238
  
@kansal can you rebase against latest master and share state of your PR, 
thanks

@DaanHoogland @jburwell do we still have outstanding issues on PR; do we 
want this or not? thanks


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15215887#comment-15215887
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user DaanHoogland commented on the pull request:

https://github.com/apache/cloudstack/pull/1152#issuecomment-202852425
  
@kansal as the complexity is unknown I would just go ahead and update the 
pr. We'll see the damage and think of fixes as we go. As for setting the value 
to true for existing tests, fine. as long as the default is false. the fix 
(setting it to true for some test cases) is trivial and will probably not be 
needed very often. Who is going to check a response for a private key unless 
they really need it.


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15215879#comment-15215879
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user kansal commented on the pull request:

https://github.com/apache/cloudstack/pull/1152#issuecomment-202844861
  
@DaanHoogland I am not sure of the amount of work that needs to be done for 
fixing all the existing test cases. Will revisit this and update. I still 
personally think that going with the optional parameter presently and assuming( 
and making sure) that the new test cases are written in compliance with this 
API will be a good way to go forward. Your views?  
PS: I am still not very versed with the test case suits. Will check and 
revisit this. 


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15215807#comment-15215807
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user DaanHoogland commented on the pull request:

https://github.com/apache/cloudstack/pull/1152#issuecomment-202822605
  
@kansal did you get to this yet?


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15080649#comment-15080649
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user jburwell commented on the pull request:

https://github.com/apache/cloudstack/pull/1152#issuecomment-168570237
  
@DaanHoogland I complete agree with you regarding exposing credential 
information.  The best practice when credentials are lost is to require that 
they be changed.  This approach makes the access to the sensitive information 
obvious to all users -- making it impossible for an attacker to hide such a 
breach.

In the past, we have removed sensitive data from existing API responses.  
For example, for CVE-2015-3251, we removed exposure of KVM credentials from the 
[listHosts call](https://github.com/apache/cloudstack/pull/682).  Therefore, as 
a project, we have previously determined that security should trump API 
backwards compatibility.  It should most certainly be prioritized over making 
the task of integration testing easier.


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15080700#comment-15080700
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user kansal commented on the pull request:

https://github.com/apache/cloudstack/pull/1152#issuecomment-168581991
  
cc @DaanHoogland @jburwell Okay. Agreed with that. So I am setting the 
default value to false but for running tests and maybe some other existing 
integration  we will have to make that value to true. Is that fine? Of course 
we need to fix the existing test cases so that maybe from the next release we 
can get away with this thing completely? 


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15080702#comment-15080702
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user kansal commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1152#discussion_r48704472
  
--- Diff: server/src/com/cloud/user/AccountManager.java ---
@@ -198,4 +200,11 @@ void buildACLViewSearchCriteria(SearchCriteria s
 public static final String MESSAGE_ADD_ACCOUNT_EVENT = 
"Message.AddAccount.Event";
 
 public static final String MESSAGE_REMOVE_ACCOUNT_EVENT = 
"Message.RemoveAccount.Event";
+public static final ConfigKey UseSecretKeyInResponse = new 
ConfigKey(
+"Advanced",
+Boolean.class,
+"use.secret.key.in.response",
+"true",
--- End diff --

@remibergsma It is a part of global config and the admin can change it. 


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15080496#comment-15080496
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user DaanHoogland commented on the pull request:

https://github.com/apache/cloudstack/pull/1152#issuecomment-168527559
  
@kansal I don't agree that making noise first is the way to go. We should 
disable the return of the key first and document it. Security demands that we 
play it that way. We can allow users to enable this insecure bahaviour by 
setting a flag somewhere but it should not be default and catch the unaware 
users of guard. It will be work in the integration tests but that just will 
have to happen.


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15080506#comment-15080506
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user remibergsma commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1152#discussion_r48695937
  
--- Diff: server/src/com/cloud/user/AccountManager.java ---
@@ -198,4 +200,11 @@ void buildACLViewSearchCriteria(SearchCriteria s
 public static final String MESSAGE_ADD_ACCOUNT_EVENT = 
"Message.AddAccount.Event";
 
 public static final String MESSAGE_REMOVE_ACCOUNT_EVENT = 
"Message.RemoveAccount.Event";
+public static final ConfigKey UseSecretKeyInResponse = new 
ConfigKey(
+"Advanced",
+Boolean.class,
+"use.secret.key.in.response",
+"true",
--- End diff --

Agree with @DaanHoogland, it is easy enough to enable again should people 
need it. Is this setting available to the user or does it need to be added to 
the database as well?


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15076260#comment-15076260
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user kansal commented on the pull request:

https://github.com/apache/cloudstack/pull/1152#issuecomment-168295517
  
@DaanHoogland Agreed with that point. But its not only about the testing. 
I'm sure many people will be using it in their own integration. I think we 
should not change the response immediately like this without informing or 
making a noise about it. And it is because of this concern only, I added a flag 
for enabling/disabling the secret key in response.


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15075956#comment-15075956
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user DaanHoogland commented on the pull request:

https://github.com/apache/cloudstack/pull/1152#issuecomment-168200764
  
@kansal when you say 'I have deprecated that as many regressions were using 
the secret key from those APIs for authentication', I think we should adjust 
those regression test to set the setting to true. Let's not do consessions to 
security for the sake of testing.


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15075955#comment-15075955
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user DaanHoogland commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1152#discussion_r48657695
  
--- Diff: server/src/com/cloud/user/AccountManager.java ---
@@ -198,4 +200,11 @@ void buildACLViewSearchCriteria(SearchCriteria s
 public static final String MESSAGE_ADD_ACCOUNT_EVENT = 
"Message.AddAccount.Event";
 
 public static final String MESSAGE_REMOVE_ACCOUNT_EVENT = 
"Message.RemoveAccount.Event";
+public static final ConfigKey UseSecretKeyInResponse = new 
ConfigKey(
+"Advanced",
+Boolean.class,
+"use.secret.key.in.response",
+"true",
--- End diff --

default should be false! this is a security issue.


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15061916#comment-15061916
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user kansal commented on the pull request:

https://github.com/apache/cloudstack/pull/1152#issuecomment-165426036
  
Have updated this PR. Instead of directly removing the secret key from 
response, I have deprecated that as many regressions were using the secret key 
from those APIs for authentication. Maybe from next major release we can remove 
that. 

@DaanHoogland  marvin test cases on the way!!!


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15050404#comment-15050404
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user kansal commented on the pull request:

https://github.com/apache/cloudstack/pull/1152#issuecomment-163539799
  
@DaanHoogland Sure will try. Will take some time as I have to go through 
the documentation first. 


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15046817#comment-15046817
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user DaanHoogland commented on the pull request:

https://github.com/apache/cloudstack/pull/1152#issuecomment-162869020
  
@kansal looks good, but for a change like this I would like a marvin test 
to prove it and guarantee it's continued functioning/functionality Do you see 
chance to add that?


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15046815#comment-15046815
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user DaanHoogland commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1152#discussion_r46947731
  
--- Diff: 
api/src/org/apache/cloudstack/api/command/admin/user/ListKeysCmd.java ---
@@ -0,0 +1,74 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.api.command.admin.user;
+
+
+import com.cloud.user.Account;
+import com.cloud.user.User;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.response.RegisterResponse;
+import org.apache.cloudstack.api.response.UserResponse;
+
+import java.util.List;
+import java.util.logging.Logger;
+
+@APICommand(name = "listUserKeys",
+description = "This command allows the user to query the 
seceret and API keys for the account",
+responseObject = RegisterResponse.class,
+requestHasSensitiveInfo = false,
+responseHasSensitiveInfo = true)
+
+public class ListKeysCmd extends BaseCmd{
+
+@Parameter(name= ApiConstants.ID, type = CommandType.UUID, entityType 
= UserResponse.class, required = true, description = "ID of the user whose keys 
are required")
+private Long id;
+
+public static final Logger s_logger = 
Logger.getLogger(RegisterCmd.class.getName());
+public static final String s_name = "listuserkeysresponse";
--- End diff --

same here


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15046814#comment-15046814
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user DaanHoogland commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1152#discussion_r46947711
  
--- Diff: 
api/src/org/apache/cloudstack/api/command/admin/user/ListKeysCmd.java ---
@@ -0,0 +1,74 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.api.command.admin.user;
+
+
+import com.cloud.user.Account;
+import com.cloud.user.User;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.response.RegisterResponse;
+import org.apache.cloudstack.api.response.UserResponse;
+
+import java.util.List;
+import java.util.logging.Logger;
+
+@APICommand(name = "listUserKeys",
+description = "This command allows the user to query the 
seceret and API keys for the account",
+responseObject = RegisterResponse.class,
+requestHasSensitiveInfo = false,
+responseHasSensitiveInfo = true)
+
+public class ListKeysCmd extends BaseCmd{
+
+@Parameter(name= ApiConstants.ID, type = CommandType.UUID, entityType 
= UserResponse.class, required = true, description = "ID of the user whose keys 
are required")
+private Long id;
+
+public static final Logger s_logger = 
Logger.getLogger(RegisterCmd.class.getName());
--- End diff --

how about using LOGGER as a name for this static final? would be more in 
line with standards


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15046810#comment-15046810
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user kansal commented on the pull request:

https://github.com/apache/cloudstack/pull/1152#issuecomment-162867278
  
@jburwell @DaanHoogland @kishankavala  Have included some changes related 
to the UI. Now after generating the keys from UI, after ListUserCmd() api, 
listKeysCmd() will be called to fill the secret key as I have removed it from 
the response value of other API's. 
Also added a test in which a normal user tries to call the listKeysCmd()  
for the admin account and hence giving a permission denied exception.



> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15044104#comment-15044104
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user DaanHoogland commented on the pull request:

https://github.com/apache/cloudstack/pull/1152#issuecomment-162342597
  
@kansal looking forward to your update. your intended change makes sense


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15044102#comment-15044102
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user DaanHoogland commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1152#discussion_r46775072
  
--- Diff: api/src/com/cloud/user/AccountService.java ---
@@ -136,4 +140,6 @@ void checkAccess(Account account, AccessType 
accessType, boolean sameOwner, Stri
  */
 UserAccount getUserAccountById(Long userId);
 
+public String[] getKeys(ListKeysCmd cmd);
--- End diff --

I agree with @jburwell 


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15041454#comment-15041454
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user kansal commented on the pull request:

https://github.com/apache/cloudstack/pull/1152#issuecomment-161944643
  
@jburwell Sure!! Will look into these. Adding the test cases and some UI 
changes for this to work. Will update the PR.


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15039749#comment-15039749
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1152#discussion_r46649508
  
--- Diff: api/src/com/cloud/user/AccountService.java ---
@@ -136,4 +140,6 @@ void checkAccess(Account account, AccessType 
accessType, boolean sameOwner, Stri
  */
 UserAccount getUserAccountById(Long userId);
 
+public String[] getKeys(ListKeysCmd cmd);
--- End diff --

Why is the return type defined as an array and not a ``List``?


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15039748#comment-15039748
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1152#discussion_r46649429
  
--- Diff: 
api/src/org/apache/cloudstack/api/command/admin/user/ListKeysCmd.java ---
@@ -0,0 +1,72 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.api.command.admin.user;
+
+
+import com.cloud.user.Account;
+import com.cloud.user.User;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.response.RegisterResponse;
+import org.apache.cloudstack.api.response.UserResponse;
+
+import java.util.logging.Logger;
+
+@APICommand(name = "listUserKeys",
+description = "This command allows the user to query the 
seceret and API keys for the account",
+responseObject = RegisterResponse.class,
+requestHasSensitiveInfo = false,
+responseHasSensitiveInfo = true)
+
+public class ListKeysCmd extends BaseCmd{
+
+@Parameter(name= ApiConstants.ID, type = CommandType.UUID, entityType 
= UserResponse.class, required = true, description = "ID of the user whose keys 
are required")
+private Long id;
+
+public static final Logger s_logger = 
Logger.getLogger(RegisterCmd.class.getName());
+public static final String s_name = "listuserkeysresponse";
+
+public Long getID(){
+return id;
+}
+
+public String getCommandName(){
+return s_name;
+}
+
+public long getEntityOwnerId(){
+User user = _entityMgr.findById(User.class, getID());
+if(user != null){
+return user.getAccountId();
+}
+else return Account.ACCOUNT_ID_SYSTEM;
+}
+public void execute(){
+String[] keys = _accountService.getKeys(this);
+RegisterResponse response = new RegisterResponse();
+if(keys != null){
--- End diff --

Add an check before setting the keys to check that ``keys`` has a length = 
2 to avoid an ``ArrayIndexOutOfBoundsException``.  If the length is not equal 
to 2, throw an ``IllegalStateException``.


> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9099) SecretKey is returned from the APIs

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15035740#comment-15035740
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9099:


GitHub user kansal opened a pull request:

https://github.com/apache/cloudstack/pull/1152

CLOUDSTACK-9099: SecretKey is returned from the APIs - Fixed

The current implementation of User and account management API (in general) 
return the secret key as a user or account response. 
Fix: Added a new API to explicitly return the secretKey and removed it from 
the user and account response.

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/kansal/cloudstack CLOUDSTACK-9099

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/cloudstack/pull/1152.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #1152


commit 410045a97a75fd1e43972c66bc4882a30a5098bf
Author: Kshitij Kansal 
Date:   2015-12-02T10:43:45Z

CLOUDSTACK-9099: SecretKey is returned from the APIs - Fixed




> SecretKey is returned from the APIs
> ---
>
> Key: CLOUDSTACK-9099
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9099
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> The sercreKey parameter is returned from the following APIs:
> createAccount
> createUser
> disableAccount
> disableUser
> enableAccount
> enableUser
> listAccounts
> listUsers
> lockAccount
> lockUser
> registerUserKeys
> updateAccount
> updateUser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)