You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mesos.apache.org by Jan Schlicht <ja...@mesosphere.io> on 2016/05/10 13:37:49 UTC
Should "read-only" HTTP endpoints allow other request methods than "GET"?
Hi guys,
while working on HTTP endpoint authorization for Mesos, I found some
interesting behavior: It's the responsibility of the HTTP endpoint handlers
to validate the HTTP request method they've been called with. Many
"read-only" endpoints (e.g. "/flags", "/state") don't do this at the
moment. This means that it's possible to send, for example, an HTTP "POST"
to the "/state" endpoint and get the same results as if it would have been
an HTTP "GET".
While this is currently not a problem, it will complicate things when we
want to authorize endpoint access. The authorization should take the HTTP
request method into account to distinguish between "user wants read access
to the endpoint" and "user wants write access to the endpoint". This makes
it ambitious on how to handle these "read-only" endpoints that also accept
a "POST" request.
The solution to that problem would be to add HTTP request method validation
to every endpoint, i.e. the read-only endpoints would reject any request
method that isn't "GET". I've created MESOS-5346 for that.
Because that would change the existing behavior, that allows to e.g. "POST"
to a "read-only" endpoint, I'd like to know if anybody relies on that
behavior, or if there are any other objections on changing it.
Cheers,
Jan
Re: Should "read-only" HTTP endpoints allow other request methods
than "GET"?
Posted by Kevin Klues <kl...@gmail.com>.
There was some discussion of this between mpark and I in relation to
the v1 operator API. The idea was to have a base class for endpoints
that implement GET/POST/DELETE/PUT/etc... functions that return an
error by default. You can then override the specific subset of them
that that each endpoint supports.
On Tue, May 10, 2016 at 6:42 AM, Vinod Kone <vi...@gmail.com> wrote:
> +1 to only allow GET for read only
>
> @vinodkone
>
>> On May 10, 2016, at 6:37 AM, Jan Schlicht <ja...@mesosphere.io> wrote:
>>
>> Hi guys,
>>
>> while working on HTTP endpoint authorization for Mesos, I found some
>> interesting behavior: It's the responsibility of the HTTP endpoint handlers
>> to validate the HTTP request method they've been called with. Many
>> "read-only" endpoints (e.g. "/flags", "/state") don't do this at the
>> moment. This means that it's possible to send, for example, an HTTP "POST"
>> to the "/state" endpoint and get the same results as if it would have been
>> an HTTP "GET".
>> While this is currently not a problem, it will complicate things when we
>> want to authorize endpoint access. The authorization should take the HTTP
>> request method into account to distinguish between "user wants read access
>> to the endpoint" and "user wants write access to the endpoint". This makes
>> it ambitious on how to handle these "read-only" endpoints that also accept
>> a "POST" request.
>> The solution to that problem would be to add HTTP request method validation
>> to every endpoint, i.e. the read-only endpoints would reject any request
>> method that isn't "GET". I've created MESOS-5346 for that.
>> Because that would change the existing behavior, that allows to e.g. "POST"
>> to a "read-only" endpoint, I'd like to know if anybody relies on that
>> behavior, or if there are any other objections on changing it.
>>
>> Cheers,
>> Jan
--
~Kevin
Re: Should "read-only" HTTP endpoints allow other request methods
than "GET"?
Posted by Kevin Klues <kl...@gmail.com>.
There was some discussion of this between mpark and I in relation to
the v1 operator API. The idea was to have a base class for endpoints
that implement GET/POST/DELETE/PUT/etc... functions that return an
error by default. You can then override the specific subset of them
that that each endpoint supports.
On Tue, May 10, 2016 at 6:42 AM, Vinod Kone <vi...@gmail.com> wrote:
> +1 to only allow GET for read only
>
> @vinodkone
>
>> On May 10, 2016, at 6:37 AM, Jan Schlicht <ja...@mesosphere.io> wrote:
>>
>> Hi guys,
>>
>> while working on HTTP endpoint authorization for Mesos, I found some
>> interesting behavior: It's the responsibility of the HTTP endpoint handlers
>> to validate the HTTP request method they've been called with. Many
>> "read-only" endpoints (e.g. "/flags", "/state") don't do this at the
>> moment. This means that it's possible to send, for example, an HTTP "POST"
>> to the "/state" endpoint and get the same results as if it would have been
>> an HTTP "GET".
>> While this is currently not a problem, it will complicate things when we
>> want to authorize endpoint access. The authorization should take the HTTP
>> request method into account to distinguish between "user wants read access
>> to the endpoint" and "user wants write access to the endpoint". This makes
>> it ambitious on how to handle these "read-only" endpoints that also accept
>> a "POST" request.
>> The solution to that problem would be to add HTTP request method validation
>> to every endpoint, i.e. the read-only endpoints would reject any request
>> method that isn't "GET". I've created MESOS-5346 for that.
>> Because that would change the existing behavior, that allows to e.g. "POST"
>> to a "read-only" endpoint, I'd like to know if anybody relies on that
>> behavior, or if there are any other objections on changing it.
>>
>> Cheers,
>> Jan
--
~Kevin
Re: Should "read-only" HTTP endpoints allow other request methods than "GET"?
Posted by Vinod Kone <vi...@gmail.com>.
+1 to only allow GET for read only
@vinodkone
> On May 10, 2016, at 6:37 AM, Jan Schlicht <ja...@mesosphere.io> wrote:
>
> Hi guys,
>
> while working on HTTP endpoint authorization for Mesos, I found some
> interesting behavior: It's the responsibility of the HTTP endpoint handlers
> to validate the HTTP request method they've been called with. Many
> "read-only" endpoints (e.g. "/flags", "/state") don't do this at the
> moment. This means that it's possible to send, for example, an HTTP "POST"
> to the "/state" endpoint and get the same results as if it would have been
> an HTTP "GET".
> While this is currently not a problem, it will complicate things when we
> want to authorize endpoint access. The authorization should take the HTTP
> request method into account to distinguish between "user wants read access
> to the endpoint" and "user wants write access to the endpoint". This makes
> it ambitious on how to handle these "read-only" endpoints that also accept
> a "POST" request.
> The solution to that problem would be to add HTTP request method validation
> to every endpoint, i.e. the read-only endpoints would reject any request
> method that isn't "GET". I've created MESOS-5346 for that.
> Because that would change the existing behavior, that allows to e.g. "POST"
> to a "read-only" endpoint, I'd like to know if anybody relies on that
> behavior, or if there are any other objections on changing it.
>
> Cheers,
> Jan
Re: Should "read-only" HTTP endpoints allow other request methods than "GET"?
Posted by Vinod Kone <vi...@gmail.com>.
+1 to only allow GET for read only
@vinodkone
> On May 10, 2016, at 6:37 AM, Jan Schlicht <ja...@mesosphere.io> wrote:
>
> Hi guys,
>
> while working on HTTP endpoint authorization for Mesos, I found some
> interesting behavior: It's the responsibility of the HTTP endpoint handlers
> to validate the HTTP request method they've been called with. Many
> "read-only" endpoints (e.g. "/flags", "/state") don't do this at the
> moment. This means that it's possible to send, for example, an HTTP "POST"
> to the "/state" endpoint and get the same results as if it would have been
> an HTTP "GET".
> While this is currently not a problem, it will complicate things when we
> want to authorize endpoint access. The authorization should take the HTTP
> request method into account to distinguish between "user wants read access
> to the endpoint" and "user wants write access to the endpoint". This makes
> it ambitious on how to handle these "read-only" endpoints that also accept
> a "POST" request.
> The solution to that problem would be to add HTTP request method validation
> to every endpoint, i.e. the read-only endpoints would reject any request
> method that isn't "GET". I've created MESOS-5346 for that.
> Because that would change the existing behavior, that allows to e.g. "POST"
> to a "read-only" endpoint, I'd like to know if anybody relies on that
> behavior, or if there are any other objections on changing it.
>
> Cheers,
> Jan
Re: Should "read-only" HTTP endpoints allow other request methods
than "GET"?
Posted by Stian Soiland-Reyes <st...@apache.org>.
OPTIONS and HEAD would also be in allowed.
Also the error if say POST is sometimes allowed, but not with the current
(anonymous or other) user, then the error should be 401 Unauthorized, not
405 Method not allowed.
On 10 May 2016 2:37 p.m., "Jan Schlicht" <ja...@mesosphere.io> wrote:
> Hi guys,
>
> while working on HTTP endpoint authorization for Mesos, I found some
> interesting behavior: It's the responsibility of the HTTP endpoint handlers
> to validate the HTTP request method they've been called with. Many
> "read-only" endpoints (e.g. "/flags", "/state") don't do this at the
> moment. This means that it's possible to send, for example, an HTTP "POST"
> to the "/state" endpoint and get the same results as if it would have been
> an HTTP "GET".
> While this is currently not a problem, it will complicate things when we
> want to authorize endpoint access. The authorization should take the HTTP
> request method into account to distinguish between "user wants read access
> to the endpoint" and "user wants write access to the endpoint". This makes
> it ambitious on how to handle these "read-only" endpoints that also accept
> a "POST" request.
> The solution to that problem would be to add HTTP request method validation
> to every endpoint, i.e. the read-only endpoints would reject any request
> method that isn't "GET". I've created MESOS-5346 for that.
> Because that would change the existing behavior, that allows to e.g. "POST"
> to a "read-only" endpoint, I'd like to know if anybody relies on that
> behavior, or if there are any other objections on changing it.
>
> Cheers,
> Jan
>
Re: Should "read-only" HTTP endpoints allow other request methods
than "GET"?
Posted by Stian Soiland-Reyes <st...@apache.org>.
OPTIONS and HEAD would also be in allowed.
Also the error if say POST is sometimes allowed, but not with the current
(anonymous or other) user, then the error should be 401 Unauthorized, not
405 Method not allowed.
On 10 May 2016 2:37 p.m., "Jan Schlicht" <ja...@mesosphere.io> wrote:
> Hi guys,
>
> while working on HTTP endpoint authorization for Mesos, I found some
> interesting behavior: It's the responsibility of the HTTP endpoint handlers
> to validate the HTTP request method they've been called with. Many
> "read-only" endpoints (e.g. "/flags", "/state") don't do this at the
> moment. This means that it's possible to send, for example, an HTTP "POST"
> to the "/state" endpoint and get the same results as if it would have been
> an HTTP "GET".
> While this is currently not a problem, it will complicate things when we
> want to authorize endpoint access. The authorization should take the HTTP
> request method into account to distinguish between "user wants read access
> to the endpoint" and "user wants write access to the endpoint". This makes
> it ambitious on how to handle these "read-only" endpoints that also accept
> a "POST" request.
> The solution to that problem would be to add HTTP request method validation
> to every endpoint, i.e. the read-only endpoints would reject any request
> method that isn't "GET". I've created MESOS-5346 for that.
> Because that would change the existing behavior, that allows to e.g. "POST"
> to a "read-only" endpoint, I'd like to know if anybody relies on that
> behavior, or if there are any other objections on changing it.
>
> Cheers,
> Jan
>
Re: Should "read-only" HTTP endpoints allow other request methods
than "GET"?
Posted by John Muller <bl...@gmail.com>.
Although very few API developers use it, the OPTION verb is intended to
provide documentation without relying on external tools like Swagger /
WADL, etc.
http://zacstewart.com/2012/04/14/http-options-method.html
Do the current read-only endpoints like /state return "501 - Not
Implemented" for POST PUT and DELETE?
On Thu, May 12, 2016 at 8:51 AM, Alexander Rojas <al...@mesosphere.io>
wrote:
> I like the idea of using HTTP GET only, or at least a way to verify the
> method as early as possible.
>
> When discussing authorization, something that occur to me is that
> authorization
> is a potentially expensive call, so if we can discard the request as early
> as
> possible because the method doesn’t match, it reduces the need to process
> and unnecessary request.
>
> > On 10 May 2016, at 15:37, Jan Schlicht <ja...@mesosphere.io> wrote:
> >
> > Hi guys,
> >
> > while working on HTTP endpoint authorization for Mesos, I found some
> > interesting behavior: It's the responsibility of the HTTP endpoint
> handlers
> > to validate the HTTP request method they've been called with. Many
> > "read-only" endpoints (e.g. "/flags", "/state") don't do this at the
> > moment. This means that it's possible to send, for example, an HTTP
> "POST"
> > to the "/state" endpoint and get the same results as if it would have
> been
> > an HTTP "GET".
> > While this is currently not a problem, it will complicate things when we
> > want to authorize endpoint access. The authorization should take the HTTP
> > request method into account to distinguish between "user wants read
> access
> > to the endpoint" and "user wants write access to the endpoint". This
> makes
> > it ambitious on how to handle these "read-only" endpoints that also
> accept
> > a "POST" request.
> > The solution to that problem would be to add HTTP request method
> validation
> > to every endpoint, i.e. the read-only endpoints would reject any request
> > method that isn't "GET". I've created MESOS-5346 for that.
> > Because that would change the existing behavior, that allows to e.g.
> "POST"
> > to a "read-only" endpoint, I'd like to know if anybody relies on that
> > behavior, or if there are any other objections on changing it.
> >
> > Cheers,
> > Jan
>
>
Re: Should "read-only" HTTP endpoints allow other request methods than "GET"?
Posted by Alexander Rojas <al...@mesosphere.io>.
I like the idea of using HTTP GET only, or at least a way to verify the
method as early as possible.
When discussing authorization, something that occur to me is that authorization
is a potentially expensive call, so if we can discard the request as early as
possible because the method doesn’t match, it reduces the need to process
and unnecessary request.
> On 10 May 2016, at 15:37, Jan Schlicht <ja...@mesosphere.io> wrote:
>
> Hi guys,
>
> while working on HTTP endpoint authorization for Mesos, I found some
> interesting behavior: It's the responsibility of the HTTP endpoint handlers
> to validate the HTTP request method they've been called with. Many
> "read-only" endpoints (e.g. "/flags", "/state") don't do this at the
> moment. This means that it's possible to send, for example, an HTTP "POST"
> to the "/state" endpoint and get the same results as if it would have been
> an HTTP "GET".
> While this is currently not a problem, it will complicate things when we
> want to authorize endpoint access. The authorization should take the HTTP
> request method into account to distinguish between "user wants read access
> to the endpoint" and "user wants write access to the endpoint". This makes
> it ambitious on how to handle these "read-only" endpoints that also accept
> a "POST" request.
> The solution to that problem would be to add HTTP request method validation
> to every endpoint, i.e. the read-only endpoints would reject any request
> method that isn't "GET". I've created MESOS-5346 for that.
> Because that would change the existing behavior, that allows to e.g. "POST"
> to a "read-only" endpoint, I'd like to know if anybody relies on that
> behavior, or if there are any other objections on changing it.
>
> Cheers,
> Jan