OpenQuake Platform

icebox configuration: lock down the /artifacts/import method

Bug #1218382 reported by Lars Butler on 2013-08-29

This bug report is a duplicate of: Bug #1234350: It's possible for the client to assign calculation results to another user. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenQuake Platform	New	Undecided	Unassigned

Bug Description

When the oq-engine-server finishes a calculation, it can optionally POST to icebox's /artifacts/import endpoint and pass in a oq-engine-server URL from which icebox can import calculation results. (See https://docs.google.com/a/openquake.org/drawings/d/1oCXtOrrkk4YDi-vF2xLOjh6s7ZZKtoiKAM9-nX4QTB0) However, since this method doesn't require authentication, there is potential for DoS exploitation by posting bogus requests. Thus, when the icebox is installed, we need to configure the webserver to restrict access and only allows POSTs from the oq-engine-server.

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1234350 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Related blueprints

Icebox: For storing and serving OpenQuake results

Remote bug watches

Bug watches keep track of this bug in other bug trackers.