Although very few API developers use it, the OPTION verb is intended to provide documentation without relying on external tools like Swagger / WADL, etc. http://zacstewart.com/2012/04/14/http-options-method.html
Do the current read-only endpoints like /state return "501 - Not Implemented" for POST PUT and DELETE? On Thu, May 12, 2016 at 8:51 AM, Alexander Rojas <[email protected]> wrote: > I like the idea of using HTTP GET only, or at least a way to verify the > method as early as possible. > > When discussing authorization, something that occur to me is that > authorization > is a potentially expensive call, so if we can discard the request as early > as > possible because the method doesn’t match, it reduces the need to process > and unnecessary request. > > > On 10 May 2016, at 15:37, Jan Schlicht <[email protected]> wrote: > > > > Hi guys, > > > > while working on HTTP endpoint authorization for Mesos, I found some > > interesting behavior: It's the responsibility of the HTTP endpoint > handlers > > to validate the HTTP request method they've been called with. Many > > "read-only" endpoints (e.g. "/flags", "/state") don't do this at the > > moment. This means that it's possible to send, for example, an HTTP > "POST" > > to the "/state" endpoint and get the same results as if it would have > been > > an HTTP "GET". > > While this is currently not a problem, it will complicate things when we > > want to authorize endpoint access. The authorization should take the HTTP > > request method into account to distinguish between "user wants read > access > > to the endpoint" and "user wants write access to the endpoint". This > makes > > it ambitious on how to handle these "read-only" endpoints that also > accept > > a "POST" request. > > The solution to that problem would be to add HTTP request method > validation > > to every endpoint, i.e. the read-only endpoints would reject any request > > method that isn't "GET". I've created MESOS-5346 for that. > > Because that would change the existing behavior, that allows to e.g. > "POST" > > to a "read-only" endpoint, I'd like to know if anybody relies on that > > behavior, or if there are any other objections on changing it. > > > > Cheers, > > Jan > >
