I like the idea of using HTTP GET only, or at least a way to verify the method as early as possible.
When discussing authorization, something that occur to me is that authorization is a potentially expensive call, so if we can discard the request as early as possible because the method doesn’t match, it reduces the need to process and unnecessary request. > On 10 May 2016, at 15:37, Jan Schlicht <[email protected]> wrote: > > Hi guys, > > while working on HTTP endpoint authorization for Mesos, I found some > interesting behavior: It's the responsibility of the HTTP endpoint handlers > to validate the HTTP request method they've been called with. Many > "read-only" endpoints (e.g. "/flags", "/state") don't do this at the > moment. This means that it's possible to send, for example, an HTTP "POST" > to the "/state" endpoint and get the same results as if it would have been > an HTTP "GET". > While this is currently not a problem, it will complicate things when we > want to authorize endpoint access. The authorization should take the HTTP > request method into account to distinguish between "user wants read access > to the endpoint" and "user wants write access to the endpoint". This makes > it ambitious on how to handle these "read-only" endpoints that also accept > a "POST" request. > The solution to that problem would be to add HTTP request method validation > to every endpoint, i.e. the read-only endpoints would reject any request > method that isn't "GET". I've created MESOS-5346 for that. > Because that would change the existing behavior, that allows to e.g. "POST" > to a "read-only" endpoint, I'd like to know if anybody relies on that > behavior, or if there are any other objections on changing it. > > Cheers, > Jan
