apiserver authorizers
roger peppe
roger.peppe at canonical.com
Wed Dec 2 11:26:59 UTC 2015
Could you link to the offending change(s) please, so we
can see what doing it wrong looks like?
On 2 December 2015 at 09:28, William Reade <william.reade at canonical.com> wrote:
> I just noticed that the unitassigner facade-constructor drops the authorizer
> on the floor; and I caught a similar case in a review yesterday (that had
> already been LGTMed by someone else).
>
> Doing that means that *any* api connection can use the thus-unprotected
> facade -- clients, agents, and malicious code running in a compromised
> machine and using the agent credentials. I don't think we have any APIs
> where this is actually a good idea; the best I could say about any such case
> is that it's not *actively* harmful *right now*. But big exploits are made
> of little holes, let's make an effort not to open them in the first place.
>
> Moonstone, please fix the unitassigner facade ASAP; everyone else, be told,
> and keep an extra eye out for this issue in reviews :).
>
> Cheers
> William
>
> --
> Juju-dev mailing list
> Juju-dev at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/juju-dev
>
More information about the Juju-dev
mailing list