You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@storm.apache.org by pa...@apache.org on 2015/04/10 01:36:05 UTC
[1/3] storm git commit: STORM-749: Forgot to delete the file and some
other blocks.
Repository: storm
Updated Branches:
refs/heads/0.10.x-branch 5c5abdfee -> 561bad88a
STORM-749: Forgot to delete the file and some other blocks.
Project: http://git-wip-us.apache.org/repos/asf/storm/repo
Commit: http://git-wip-us.apache.org/repos/asf/storm/commit/7fd76a01
Tree: http://git-wip-us.apache.org/repos/asf/storm/tree/7fd76a01
Diff: http://git-wip-us.apache.org/repos/asf/storm/diff/7fd76a01
Branch: refs/heads/0.10.x-branch
Commit: 7fd76a0166d1c74e3dc4d55afb48b046375754e1
Parents: 5c5abdf
Author: Parth Brahmbhatt <br...@gmail.com>
Authored: Thu Apr 2 18:28:08 2015 -0700
Committer: Parth Brahmbhatt <br...@gmail.com>
Committed: Tue Apr 7 10:42:02 2015 -0700
----------------------------------------------------------------------
STORM-UI-REST-API.md | 3 +--
.../public/templates/anti-forgery-template.html | 19 -------------------
storm-core/src/ui/public/topology.html | 5 -----
3 files changed, 1 insertion(+), 26 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/storm/blob/7fd76a01/STORM-UI-REST-API.md
----------------------------------------------------------------------
diff --git a/STORM-UI-REST-API.md b/STORM-UI-REST-API.md
index 72b07d4..8e9e67a 100644
--- a/STORM-UI-REST-API.md
+++ b/STORM-UI-REST-API.md
@@ -380,8 +380,7 @@ Sample response:
"storm.zookeeper.retry.intervalceiling.millis": 30000,
"supervisor.enable": true,
"storm.messaging.netty.server_worker_threads": 1
- },
- "antiForgeryToken": "lAFTN\/5iSedRLwJeUNqkJ8hgYubRl2OxjXGoDf9A4Bt1nZY3rvJW0\/P4zqu9yAk\/LvDhlmn7gigw\/z8C"
+ }
}
```
http://git-wip-us.apache.org/repos/asf/storm/blob/7fd76a01/storm-core/src/ui/public/templates/anti-forgery-template.html
----------------------------------------------------------------------
diff --git a/storm-core/src/ui/public/templates/anti-forgery-template.html b/storm-core/src/ui/public/templates/anti-forgery-template.html
deleted file mode 100644
index 3adcb64..0000000
--- a/storm-core/src/ui/public/templates/anti-forgery-template.html
+++ /dev/null
@@ -1,19 +0,0 @@
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<script id="anti-forgery-template" type="text/html">
-{{#antiForgeryToken}}{{antiForgeryToken}}{{/antiForgeryToken}}
-</script>
http://git-wip-us.apache.org/repos/asf/storm/blob/7fd76a01/storm-core/src/ui/public/topology.html
----------------------------------------------------------------------
diff --git a/storm-core/src/ui/public/topology.html b/storm-core/src/ui/public/topology.html
index 315862c..4b2d841 100644
--- a/storm-core/src/ui/public/topology.html
+++ b/storm-core/src/ui/public/topology.html
@@ -125,11 +125,6 @@ $(document).ready(function() {
$('#ui-user [data-toggle="tooltip"]').tooltip();
});
- var antiForgeryToken = $("#anti-forgery-token");
- $.get("/templates/anti-forgery-template.html", function(template) {
- antiForgeryToken.append(Mustache.render($(template).filter("#anti-forgery-template").html(),response));
- });
-
var topologySummary = $("#topology-summary");
var topologyStats = $("#topology-stats");
var spoutStats = $("#spout-stats");
[2/3] storm git commit: STORM-749: Remove CSRF check.
Posted by pa...@apache.org.
STORM-749: Remove CSRF check.
Conflicts:
storm-core/src/ui/public/css/style.css
Project: http://git-wip-us.apache.org/repos/asf/storm/repo
Commit: http://git-wip-us.apache.org/repos/asf/storm/commit/8663fa6e
Tree: http://git-wip-us.apache.org/repos/asf/storm/tree/8663fa6e
Diff: http://git-wip-us.apache.org/repos/asf/storm/diff/8663fa6e
Branch: refs/heads/0.10.x-branch
Commit: 8663fa6e442c063ba994b347863618c937d269fc
Parents: 7fd76a0
Author: Parth Brahmbhatt <br...@gmail.com>
Authored: Thu Apr 2 18:13:18 2015 -0700
Committer: Parth Brahmbhatt <br...@gmail.com>
Committed: Tue Apr 7 10:47:53 2015 -0700
----------------------------------------------------------------------
STORM-UI-REST-API.md | 42 ----------------------
storm-core/pom.xml | 5 ---
storm-core/src/clj/backtype/storm/ui/core.clj | 13 ++-----
storm-core/src/ui/public/css/style.css | 6 +---
storm-core/src/ui/public/js/script.js | 3 +-
storm-core/src/ui/public/topology.html | 3 --
6 files changed, 4 insertions(+), 68 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/storm/blob/8663fa6e/STORM-UI-REST-API.md
----------------------------------------------------------------------
diff --git a/STORM-UI-REST-API.md b/STORM-UI-REST-API.md
index 8e9e67a..2836105 100644
--- a/STORM-UI-REST-API.md
+++ b/STORM-UI-REST-API.md
@@ -231,11 +231,6 @@ Response fields:
|bolts.errorLapsedSecs| Integer |Number of seconds elapsed since that last error happened in a bolt|
|bolts.errorWorkerLogLink| String | Link to the worker log that reported the exception |
|bolts.emitted| Long |Number of tuples emitted|
-|antiForgeryToken| String | CSRF token|
-
-Caution: users need to unescape the antiForgeryToken value before using this token to make POST calls(simple-json escapes forward slashes)
-[ISSUE-8](https://code.google.com/p/json-simple/issues/detail?id=8)
-
Examples:
@@ -578,44 +573,8 @@ Sample response:
}
```
-### /api/v1/token (GET)
-
-Returns a anti forgery token to use in POST calls
-
-Response fields:
-
-|Field |Value |Description|
-|antiForgeryToken| String | CSRF token|
-
-Sample response:
-
-```json
-{
- "antiForgeryToken": "Dygf1UHQF7qL0syKLTKEGSX5y0rZhhQTxS2f/WWwI2PhN1zmRdh8MQ1KTd5CXRmjMVmAJ43eklqYmvD5"
-}
-```
-
-
## POST Operations
-### Cross site request forgery (CSRF) prevention in POST requests
-
-In order to prevent CSRF vulnerability, the REST API uses a CSRF token. This is primarily done for the UI, however we
-do not have alternative APIs/paths for UI and non-UI clients.
-
-The token is generated during the `/api/v1/topology/:id` (GET) request. The JSON response for this GET request contains
-a field called "antiForgeryToken". All the post requests below must include a header "x-csrf-token" with the value of
-"antiForgeryToken" from the GET response. In absence of this header with the right token value you will get following
-error response:
-
-```
-{
- "error" : "Forbidden action.",
- "errorMessage" : "missing CSRF token."
-}
-```
-
-
### /api/v1/topology/:id/activate (POST)
Activates a topology.
@@ -667,7 +626,6 @@ Examples:
```no-highlight
curl -i -b ~/cookiejar.txt -c ~/cookiejar.txt -X POST
--H 'x-csrf-token:nRXggIDItGA/rxjPETo9ok65DM3rpQqOLoNwWXZWbGuaZZjtms5/tU+h36uQCR34z50DtFybkwh1ZB5e'
-H "Content-Type: application/json"
-d '{"rebalanceOptions": {"numWorkers": 2, "executors": { "spout" : "5", "split": 7, "count": 5 }}, "callback":"foo"}'
http://localhost:8080/api/v1/topology/wordcount-1-1420308665/rebalance/0
http://git-wip-us.apache.org/repos/asf/storm/blob/8663fa6e/storm-core/pom.xml
----------------------------------------------------------------------
diff --git a/storm-core/pom.xml b/storm-core/pom.xml
index 7f7b812..17e1a15 100644
--- a/storm-core/pom.xml
+++ b/storm-core/pom.xml
@@ -68,11 +68,6 @@
</dependency>
<dependency>
<groupId>ring</groupId>
- <artifactId>ring-anti-forgery</artifactId>
- <version>1.0.0</version>
- </dependency>
- <dependency>
- <groupId>ring</groupId>
<artifactId>ring-json</artifactId>
<version>0.3.1</version>
</dependency>
http://git-wip-us.apache.org/repos/asf/storm/blob/8663fa6e/storm-core/src/clj/backtype/storm/ui/core.clj
----------------------------------------------------------------------
diff --git a/storm-core/src/clj/backtype/storm/ui/core.clj b/storm-core/src/clj/backtype/storm/ui/core.clj
index c64f35d..7a475ad 100644
--- a/storm-core/src/clj/backtype/storm/ui/core.clj
+++ b/storm-core/src/clj/backtype/storm/ui/core.clj
@@ -23,7 +23,6 @@
(:use [backtype.storm.ui helpers])
(:use [backtype.storm.daemon [common :only [ACKER-COMPONENT-ID ACKER-INIT-STREAM-ID ACKER-ACK-STREAM-ID
ACKER-FAIL-STREAM-ID system-id? mk-authorization-handler]]])
- (:use [ring.middleware.anti-forgery])
(:use [clojure.string :only [blank? lower-case trim]])
(:import [backtype.storm.utils Utils])
(:import [backtype.storm.generated ExecutorSpecificStats
@@ -699,8 +698,7 @@
"spouts" (spout-comp id spout-comp-summs (.get_errors summ) window include-sys?)
"bolts" (bolt-comp id bolt-comp-summs (.get_errors summ) window include-sys?)
"configuration" topology-conf
- "visualizationTable" (stream-boxes visualizer-data)
- "antiForgeryToken" *anti-forgery-token*}))))
+ "visualizationTable" (stream-boxes visualizer-data)}))))
(defn spout-output-stats
[stream-summary window]
@@ -926,8 +924,6 @@
(let [user (.getUserName http-creds-handler servlet-request)]
(assert-authorized-user servlet-request "getTopology" (topology-config id))
(json-response (component-page id component (:window m) (check-include-sys? (:sys m)) user) (:callback m))))
- (GET "/api/v1/token" [ & m]
- (json-response (format "{\"antiForgeryToken\": \"%s\"}" *anti-forgery-token*) (:callback m) :serialize-fn identity))
(POST "/api/v1/topology/:id/activate" [:as {:keys [cookies servlet-request]} id & m]
(assert-authorized-user servlet-request "activate" (topology-config id))
(with-nimbus nimbus
@@ -938,7 +934,7 @@
name (.get_name tplg)]
(.activate nimbus name)
(log-message "Activating topology '" name "'")))
- (json-response (topology-op-response id "deactivate") (m "callback")))
+ (json-response (topology-op-response id "activate") (m "callback")))
(POST "/api/v1/topology/:id/deactivate" [:as {:keys [cookies servlet-request]} id & m]
(assert-authorized-user servlet-request "deactivate" (topology-config id))
(with-nimbus nimbus
@@ -1005,15 +1001,10 @@
(json-response (exception->json ex) ((:query-params request) "callback") :status 500)))))
-(def csrf-error-response
- (json-response {"error" "Forbidden action."
- "errorMessage" "missing CSRF token."} 403))
-
(def app
(handler/site (-> main-routes
(wrap-json-params)
(wrap-reload '[backtype.storm.ui.core])
- (wrap-anti-forgery {:error-response csrf-error-response})
catch-errors)))
(defn start-server!
http://git-wip-us.apache.org/repos/asf/storm/blob/8663fa6e/storm-core/src/ui/public/css/style.css
----------------------------------------------------------------------
diff --git a/storm-core/src/ui/public/css/style.css b/storm-core/src/ui/public/css/style.css
index df3d3db..1851f6a 100644
--- a/storm-core/src/ui/public/css/style.css
+++ b/storm-core/src/ui/public/css/style.css
@@ -22,8 +22,4 @@
#ui-user {
text-align: right;
padding: 0.5em;
-}
-
-.anti-forgery-token {
- visibility:hidden;
-}
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/storm/blob/8663fa6e/storm-core/src/ui/public/js/script.js
----------------------------------------------------------------------
diff --git a/storm-core/src/ui/public/js/script.js b/storm-core/src/ui/public/js/script.js
index 25822f5..73cfd7f 100644
--- a/storm-core/src/ui/public/js/script.js
+++ b/storm-core/src/ui/public/js/script.js
@@ -84,8 +84,7 @@ function ensureInt(n) {
function confirmAction(id, name, action, wait, defaultWait) {
var opts = {
type:'POST',
- url:'/api/v1/topology/' + id + '/' + action,
- headers: { 'x-csrf-token': $.trim($('#anti-forgery-token').text()) }
+ url:'/api/v1/topology/' + id + '/' + action
};
if (wait) {
var waitSecs = prompt('Do you really want to ' + action + ' topology "' + name + '"? ' +
http://git-wip-us.apache.org/repos/asf/storm/blob/8663fa6e/storm-core/src/ui/public/topology.html
----------------------------------------------------------------------
diff --git a/storm-core/src/ui/public/topology.html b/storm-core/src/ui/public/topology.html
index 4b2d841..7285f35 100644
--- a/storm-core/src/ui/public/topology.html
+++ b/storm-core/src/ui/public/topology.html
@@ -77,9 +77,6 @@
<div class="row">
<div id="json-response-error" class="col-md-12"></div>
</div>
- <div class="row">
- <div id="anti-forgery-token" class="anti-forgery-token col-md-12"></div>
- </div>
</div>
</body>
<script>
[3/3] storm git commit: Added STORM-749 to CHANGELOG.
Posted by pa...@apache.org.
Added STORM-749 to CHANGELOG.
Project: http://git-wip-us.apache.org/repos/asf/storm/repo
Commit: http://git-wip-us.apache.org/repos/asf/storm/commit/561bad88
Tree: http://git-wip-us.apache.org/repos/asf/storm/tree/561bad88
Diff: http://git-wip-us.apache.org/repos/asf/storm/diff/561bad88
Branch: refs/heads/0.10.x-branch
Commit: 561bad88aff3391445165fa417c994bbbbf95137
Parents: 8663fa6
Author: Parth Brahmbhatt <br...@gmail.com>
Authored: Thu Apr 9 16:20:39 2015 -0700
Committer: Parth Brahmbhatt <br...@gmail.com>
Committed: Thu Apr 9 16:20:39 2015 -0700
----------------------------------------------------------------------
CHANGELOG.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/storm/blob/561bad88/CHANGELOG.md
----------------------------------------------------------------------
diff --git a/CHANGELOG.md b/CHANGELOG.md
index de07020..91ff04d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -87,7 +87,8 @@
* STORM-634: Storm serialization changed to thrift to support rolling upgrade.
* STORM-570: Switch from tablesorter to datatables jquery plugin.
* STORM-723: Remove RedisStateSetUpdater / RedisStateSetCountQuerier which didn't tested and have a bug
-
+ * STORM-749: Removing CSRF check from REST API.
+
## 0.9.3-rc2
* STORM-558: change "swap!" to "reset!" to fix assignment-versions in supervisor
* STORM-555: Storm json response should set charset to UTF-8