gianm commented on a change in pull request #10085:
URL: https://github.com/apache/druid/pull/10085#discussion_r446305543
##########
File path: docs/configuration/index.md
##########
@@ -1312,6 +1312,7 @@ Druid uses Jetty to serve HTTP requests.
|`druid.server.http.maxQueryTimeout`|Maximum allowed value (in milliseconds)
for `timeout` parameter. See [query-context](../querying/query-context.html) to
know more about `timeout`. Query is rejected if the query context `timeout` is
greater than this value. |Long.MAX_VALUE|
|`druid.server.http.maxRequestHeaderSize`|Maximum size of a request header in
bytes. Larger headers consume more memory and can make a server more vulnerable
to denial of service attacks.|8 * 1024|
|`druid.server.http.enableForwardedRequestCustomizer`|If enabled, adds Jetty
ForwardedRequestCustomizer which reads X-Forwarded-* request headers to
manipulate servlet request object when Druid is used behind a proxy.|false|
+|`druid.server.http.allowedHttpMethods`|List of http methods allowed in
addition to the ones needed by Druid. GET, PUT, POST, DELETE and OPTIONS are
always allowed. `druid.auth.allowUnauthenticatedHttpOptions` can be used to
disable the OPTIONS method.|[]|
Review comment:
"HTTP" should be capitalized when it appears in normal text like this.
##########
File path: docs/configuration/index.md
##########
@@ -1312,6 +1312,7 @@ Druid uses Jetty to serve HTTP requests.
|`druid.server.http.maxQueryTimeout`|Maximum allowed value (in milliseconds)
for `timeout` parameter. See [query-context](../querying/query-context.html) to
know more about `timeout`. Query is rejected if the query context `timeout` is
greater than this value. |Long.MAX_VALUE|
|`druid.server.http.maxRequestHeaderSize`|Maximum size of a request header in
bytes. Larger headers consume more memory and can make a server more vulnerable
to denial of service attacks.|8 * 1024|
|`druid.server.http.enableForwardedRequestCustomizer`|If enabled, adds Jetty
ForwardedRequestCustomizer which reads X-Forwarded-* request headers to
manipulate servlet request object when Druid is used behind a proxy.|false|
+|`druid.server.http.allowedHttpMethods`|List of http methods allowed in
addition to the ones needed by Druid. GET, PUT, POST, DELETE and OPTIONS are
always allowed. `druid.auth.allowUnauthenticatedHttpOptions` can be used to
disable the OPTIONS method.|[]|
Review comment:
A couple things about the design of the properties:
1. I don't think Druid itself uses OPTIONS requests. AFAIK, they are only
needed for people that are using CORS, which Druid doesn't support innately but
can be supported through extensions:
https://github.com/apache/druid/issues/6026. So, OPTIONS shouldn't be part of
the "always allowed" list.
2. `druid.auth.allowUnauthenticatedHttpOptions` today can't be used to
disable OPTIONS, it only controls whether or not it can be used without
authentication.
Taking these into account, I'd suggest designing and documenting them like
this:
|Property|Description|Default|
|--------|-----------|-------|
|`druid.server.http.allowedHttpMethods`|List of HTTP methods that should be
allowed in addition to the ones required by Druid APIs. Druid APIs require GET,
PUT, POST, and DELETE, which are always allowed. This option is not useful
unless you have installed an extension that needs these additional HTTP methods
or that adds functionality related to CORS. None of Druid's bundled extensions
require these methods.|[]|
|`druid.auth.allowUnauthenticatedHttpOptions`|If true, allow HTTP OPTIONS
requests by unauthenticated users. This is primarily useful for supporting CORS
preflight requests, which Druid does not support directly, but which can be
enabled using third-party extensions.<br /><br />Note that you must add
"OPTIONS" to `druid.server.http.allowedHttpMethods`.<br /><br />Also note that
disabling authentication checks for OPTIONS requests will allow unauthenticated
users to determine what Druid endpoints are valid (by checking if the OPTIONS
request returns a 200 instead of 404). Enabling this option will reveal
information about server configuration, including information about what
extensions are loaded, to unauthenticated users.|false|
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
