subject:"Re\: Should \"read\-only\" HTTP endpoints allow other request methods than \"GET\"\?"

Re: Should "read-only" HTTP endpoints allow other request methods than "GET"?

2016-05-13 Thread John Muller

Although very few API developers use it, the OPTION verb is intended to
provide documentation without relying on external tools like Swagger /
WADL, etc.
http://zacstewart.com/2012/04/14/http-options-method.html

Do the current read-only endpoints like /state return "501 - Not
Implemented" for POST PUT and DELETE?

On Thu, May 12, 2016 at 8:51 AM, Alexander Rojas 
wrote:

> I like the idea of using HTTP GET only, or at least a way to verify the
> method as early as possible.
>
> When discussing authorization, something that occur to me is that
> authorization
> is a potentially expensive call, so if we can discard the request as early
> as
> possible because the method doesn’t match, it reduces the need to process
> and unnecessary request.
>
> > On 10 May 2016, at 15:37, Jan Schlicht  wrote:
> >
> > Hi guys,
> >
> > while working on HTTP endpoint authorization for Mesos, I found some
> > interesting behavior: It's the responsibility of the HTTP endpoint
> handlers
> > to validate the HTTP request method they've been called with. Many
> > "read-only" endpoints (e.g. "/flags", "/state") don't do this at the
> > moment. This means that it's possible to send, for example, an HTTP
> "POST"
> > to the "/state" endpoint and get the same results as if it would have
> been
> > an HTTP "GET".
> > While this is currently not a problem, it will complicate things when we
> > want to authorize endpoint access. The authorization should take the HTTP
> > request method into account to distinguish between "user wants read
> access
> > to the endpoint" and "user wants write access to the endpoint". This
> makes
> > it ambitious on how to handle these "read-only" endpoints that also
> accept
> > a "POST" request.
> > The solution to that problem would be to add HTTP request method
> validation
> > to every endpoint, i.e. the read-only endpoints would reject any request
> > method that isn't "GET". I've created MESOS-5346 for that.
> > Because that would change the existing behavior, that allows to e.g.
> "POST"
> > to a "read-only" endpoint, I'd like to know if anybody relies on that
> > behavior, or if there are any other objections on changing it.
> >
> > Cheers,
> > Jan
>
>

Re: Should "read-only" HTTP endpoints allow other request methods than "GET"?

2016-05-12 Thread Alexander Rojas

I like the idea of using HTTP GET only, or at least a way to verify the 
method as early as possible.

When discussing authorization, something that occur to me is that authorization 
is a potentially expensive call, so if we can discard the request as early as 
possible because the method doesn’t match, it reduces the need to process
and unnecessary request.

> On 10 May 2016, at 15:37, Jan Schlicht  wrote:
> 
> Hi guys,
> 
> while working on HTTP endpoint authorization for Mesos, I found some
> interesting behavior: It's the responsibility of the HTTP endpoint handlers
> to validate the HTTP request method they've been called with. Many
> "read-only" endpoints (e.g. "/flags", "/state") don't do this at the
> moment. This means that it's possible to send, for example, an HTTP "POST"
> to the "/state" endpoint and get the same results as if it would have been
> an HTTP "GET".
> While this is currently not a problem, it will complicate things when we
> want to authorize endpoint access. The authorization should take the HTTP
> request method into account to distinguish between "user wants read access
> to the endpoint" and "user wants write access to the endpoint". This makes
> it ambitious on how to handle these "read-only" endpoints that also accept
> a "POST" request.
> The solution to that problem would be to add HTTP request method validation
> to every endpoint, i.e. the read-only endpoints would reject any request
> method that isn't "GET". I've created MESOS-5346 for that.
> Because that would change the existing behavior, that allows to e.g. "POST"
> to a "read-only" endpoint, I'd like to know if anybody relies on that
> behavior, or if there are any other objections on changing it.
> 
> Cheers,
> Jan

Re: Should "read-only" HTTP endpoints allow other request methods than "GET"?

2016-05-10 Thread Kevin Klues

There was some discussion of this between mpark and I in relation to
the v1 operator API.  The idea was to have a base class for endpoints
that implement GET/POST/DELETE/PUT/etc... functions that return an
error by default. You can then override the specific subset of them
that that each endpoint supports.

On Tue, May 10, 2016 at 6:42 AM, Vinod Kone  wrote:
> +1 to only allow GET for read only
>
> @vinodkone
>
>> On May 10, 2016, at 6:37 AM, Jan Schlicht  wrote:
>>
>> Hi guys,
>>
>> while working on HTTP endpoint authorization for Mesos, I found some
>> interesting behavior: It's the responsibility of the HTTP endpoint handlers
>> to validate the HTTP request method they've been called with. Many
>> "read-only" endpoints (e.g. "/flags", "/state") don't do this at the
>> moment. This means that it's possible to send, for example, an HTTP "POST"
>> to the "/state" endpoint and get the same results as if it would have been
>> an HTTP "GET".
>> While this is currently not a problem, it will complicate things when we
>> want to authorize endpoint access. The authorization should take the HTTP
>> request method into account to distinguish between "user wants read access
>> to the endpoint" and "user wants write access to the endpoint". This makes
>> it ambitious on how to handle these "read-only" endpoints that also accept
>> a "POST" request.
>> The solution to that problem would be to add HTTP request method validation
>> to every endpoint, i.e. the read-only endpoints would reject any request
>> method that isn't "GET". I've created MESOS-5346 for that.
>> Because that would change the existing behavior, that allows to e.g. "POST"
>> to a "read-only" endpoint, I'd like to know if anybody relies on that
>> behavior, or if there are any other objections on changing it.
>>
>> Cheers,
>> Jan



-- 
~Kevin

Re: Should "read-only" HTTP endpoints allow other request methods than "GET"?

2016-05-10 Thread Vinod Kone

+1 to only allow GET for read only

@vinodkone

> On May 10, 2016, at 6:37 AM, Jan Schlicht  wrote:
> 
> Hi guys,
> 
> while working on HTTP endpoint authorization for Mesos, I found some
> interesting behavior: It's the responsibility of the HTTP endpoint handlers
> to validate the HTTP request method they've been called with. Many
> "read-only" endpoints (e.g. "/flags", "/state") don't do this at the
> moment. This means that it's possible to send, for example, an HTTP "POST"
> to the "/state" endpoint and get the same results as if it would have been
> an HTTP "GET".
> While this is currently not a problem, it will complicate things when we
> want to authorize endpoint access. The authorization should take the HTTP
> request method into account to distinguish between "user wants read access
> to the endpoint" and "user wants write access to the endpoint". This makes
> it ambitious on how to handle these "read-only" endpoints that also accept
> a "POST" request.
> The solution to that problem would be to add HTTP request method validation
> to every endpoint, i.e. the read-only endpoints would reject any request
> method that isn't "GET". I've created MESOS-5346 for that.
> Because that would change the existing behavior, that allows to e.g. "POST"
> to a "read-only" endpoint, I'd like to know if anybody relies on that
> behavior, or if there are any other objections on changing it.
> 
> Cheers,
> Jan

Re: Should "read-only" HTTP endpoints allow other request methods than "GET"?

Re: Should "read-only" HTTP endpoints allow other request methods than "GET"?

Re: Should "read-only" HTTP endpoints allow other request methods than "GET"?

Re: Should "read-only" HTTP endpoints allow other request methods than "GET"?

4 matches

Site Navigation

Mail list logo

Footer information