IBM Data and AI Ideas Portal for Customers


This portal is to open public enhancement requests against products and services offered by the IBM Data & AI organization. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:


Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,


Post your ideas

Post ideas and requests to enhance a product or service. Take a look at ideas others have posted and upvote them if they matter to you,

  1. Post an idea

  2. Upvote ideas that matter most to you

  3. Get feedback from the IBM team to refine your idea


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

IBM Employees should enter Ideas at https://ideas.ibm.com


Add a new idea Subscribe
Status Delivered
Workspace Spectrum Symphony
Components Version 7.3.2
Created by Guest
Created on Jun 11, 2023

RELATED IDEAS

Allow to disable plugin related requests through HostFactory Rest Api and Symphony GUI

JPMC currently uses Symphony 7.3.1. We intend to allow user to use HostFactory Rest API, from e.g. on-prem to Symphony cluster on AWS.

We happen to see Symphony 7.3.2, which we intend to upgrade to later, supports HostFactory plugin related requests through HostFactory Rest API. This would mean our user can submit HostFactory plugin update requests through HF rest server thus can run script they uploaded on e.g. management instances, about which we have security concerns. It is true only Cluster Admin user can submit rest requests to HF and Cluster Amin have special privileges and can do many things on management hosts anyway. Still, a "channel" like rest api requests to make changes to management hosts, even by cluster admin, is what we do not want.

This IDEA i.e. RFE is to ask, through a custom setting, to disable all HostFactory plug-in related requests through HostFactory or Symphony GUI.

This request is for the upcoming 7.3.2x release scheduled for the end of calendar 2023.



Needed By Quarter
  • Admin
    Dennis Xiao
    Reply
    |     Jan 29, 2024

    Discussed in today's sync-up meeting, the enhancement could be to enforce to only allow the dir defined in HF service profile for HF scripts, not any location.

  • Admin
    Dennis Xiao
    Reply
    |     Jan 24, 2024

    Based on the discussion below, the enhancement is not required. Dennis


    Sounds more secure to be under $EGO_TOP/hostfactory. Is there a log directory under $EGO_TOP/hostfactory? Log dir needs to be excluded J

    Currently it allows arbitrary directory which is a loose end.

    Thanks and have a great weekend!

    --Larry

    From: Lin, Leo Z (CIB Tech, USA) <leo.z.lin@jpmorgan.com>
    Sent: Friday, January 19, 2024 4:35 PM
    To: Ajith Shanmuganathan <ashanmug@ca.ibm.com>; Xu, Peter Q (CIB Tech, USA) <peter.q.xu@jpmchase.com>; Dennis Xiao <dxiao@ca.ibm.com>; Gao, Larry (CIB Tech, USA) <larry.gao@jpmchase.com>
    Subject: RE: [EXTERNAL]RE: RE: Regarding RFE SPCS-I-964 in 7.3.2

    Hi Ajith,

    “we can force the scripts directory to be under the hostfactory directory under EGO”, to clarify, you mean $EGO_TOP/hostfactory right?

    This sounds to me a good guard. All files under this directory are owned by egoadmin, it should prevent hostfactory run script that was created by another user.

    Thanks

    --Leo

    From: Ajith Shanmuganathan <ashanmug@ca.ibm.com>
    Sent: Friday, January 19, 2024 4:21 PM
    To: Lin, Leo Z (CIB Tech, USA) <leo.z.lin@jpmorgan.com>; Xu, Peter Q (CIB Tech, USA) <peter.q.xu@jpmchase.com>; Dennis Xiao <dxiao@ca.ibm.com>; Gao, Larry (CIB Tech, USA) <larry.gao@jpmchase.com>
    Subject: [EXTERNAL]RE: RE: Regarding RFE SPCS-I-964 in 7.3.2

    Hi Leo,

    The config is for the scripts directory and not the script itself. To perform this exploit, user guest1 will need to access the shared filesystem and add the specific shell files that HF is looking for;     getAvailableTemplates.sh or getDemandRequests.sh and put some code there. They cannot simply point to an existing file.

    Then guest1 will need to access the REST API as cluster-admin and configure HF to add a new requestor/provider and instance.

    If only worried about impersonation, we can force the scripts directory to be under the hostfactory directory under EGO. This would block all users other than egoadmin from adding files.


    Thanks, Ajith

    From: Lin, Leo Z <leo.z.lin@jpmorgan.com>
    Sent: Friday, January 19, 2024 3:48 PM
    To: Ajith Shanmuganathan <ashanmug@ca.ibm.com>; Xu, Peter Q <peter.q.xu@jpmchase.com>; Dennis Xiao <dxiao@ca.ibm.com>; Gao, Larry <larry.gao@jpmchase.com>
    Subject: RE: [EXTERNAL]RE: Regarding RFE SPCS-I-964 in 7.3.2

    Hi Ajith, Then issue is user will be able to configure any script as provider plugin (as those in the shared file system directory created by user) to be executed by HostFactory (which will be run as egoadmin), which means user is able to impersonate

    ZjQcmQRYFpfptBannerStart

    ZjQcmQRYFpfptBannerEnd

    Hi Ajith,

    Then issue is user will be able to configure any script as provider plugin (as those in the shared file system directory created by user) to be executed by HostFactory (which will be run as egoadmin), which means user is able to impersonate as egoadmin.

    Thanks

    --Leo

    From: Ajith Shanmuganathan <ashanmug@ca.ibm.com>
    Sent: Friday, January 19, 2024 2:27 PM
    To: Xu, Peter Q (CIB Tech, USA) <peter.q.xu@jpmchase.com>; Dennis Xiao <dxiao@ca.ibm.com>; Gao, Larry (CIB Tech, USA) <larry.gao@jpmchase.com>; Lin, Leo Z (CIB Tech, USA) <leo.z.lin@jpmorgan.com>
    Subject: [EXTERNAL]RE: Regarding RFE SPCS-I-964 in 7.3.2

    Hi Peter,

    To confirm, this is regarding creating additional copies of a specific provider plugin and related configuration via REST API. Previously, this was a manual process requiring the creation of a new directory structure. Is there a specific concern about this? I don’t think we provide access to scripts via REST, only config. The script placement is a pre-requisite.
    https://www.ibm.com/docs/en/spectrum-symphony/7.3.2?topic=version-create-provider-plug-in

    Thanks, Ajith

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.