OPTIONS and HEAD would also be in allowed. Also the error if say POST is sometimes allowed, but not with the current (anonymous or other) user, then the error should be 401 Unauthorized, not 405 Method not allowed. On 10 May 2016 2:37 p.m., "Jan Schlicht" <[email protected]> wrote:
> Hi guys, > > while working on HTTP endpoint authorization for Mesos, I found some > interesting behavior: It's the responsibility of the HTTP endpoint handlers > to validate the HTTP request method they've been called with. Many > "read-only" endpoints (e.g. "/flags", "/state") don't do this at the > moment. This means that it's possible to send, for example, an HTTP "POST" > to the "/state" endpoint and get the same results as if it would have been > an HTTP "GET". > While this is currently not a problem, it will complicate things when we > want to authorize endpoint access. The authorization should take the HTTP > request method into account to distinguish between "user wants read access > to the endpoint" and "user wants write access to the endpoint". This makes > it ambitious on how to handle these "read-only" endpoints that also accept > a "POST" request. > The solution to that problem would be to add HTTP request method validation > to every endpoint, i.e. the read-only endpoints would reject any request > method that isn't "GET". I've created MESOS-5346 for that. > Because that would change the existing behavior, that allows to e.g. "POST" > to a "read-only" endpoint, I'd like to know if anybody relies on that > behavior, or if there are any other objections on changing it. > > Cheers, > Jan >
