[
https://issues.apache.org/jira/browse/AURORA-390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13991371#comment-13991371
]
Suman Karumuri commented on AURORA-390:
---------------------------------------
Per [1] and [2] access control is controlled by a different tag
'Access-Control-Allow-Credentials'. The 'Access-Control-Allow-Origin' flag only
controls what domains should be able to call this resource. Since, the domain
of hosts which can this service is large, we should just add the "
Access-Control-Allow-Origin: *" and not even have a flag. Since the API is
read only for now I think we should just keep it simple.
To prevent malicious use cases we need to rely on some form of auth and no
amount of setting headers would be enough.
[1] http://www.html5rocks.com/en/tutorials/cors/
[2] http://www.w3.org/TR/cors/
> UI should be able to query any scheduler backend
> ------------------------------------------------
>
> Key: AURORA-390
> URL: https://issues.apache.org/jira/browse/AURORA-390
> Project: Aurora
> Issue Type: Task
> Components: UI
> Reporter: Suman Karumuri
>
> Currently, we test the scheduler UI with the test data generated from the
> IsolatedSchedulerModule. While this is useful for basic testing, the data
> generated is of poor quality and is leading to many bugs that are discovered
> late. It would be awesome, if the UI on my laptop can query any scheduler
> backend. For example, if the UI can query a test or a staging environment, we
> can test the UI with real data without an elaborate setup process. Further,
> it would simplify debugging prod issues and this will also take us closer to
> making the UI a separate self hosted service to run e2e tests.
> Currently, the UI on the scheduler can only query the scheduler which is
> hosting the UI because the /api end point doesn't allow CORS calls. If we
> want to enable this we have 2 options:
> a) Enable CORS support on /api end point by adding "
> Access-Control-Allow-Origin: *" header.
> b) Make a JSON-P call from the UI front end to the backend. Since we make the
> Ajax calls to the backend using thrift library, we need to bypass the ajax
> stuff in the thrift library by writing our own wrapper around the thrift
> library to make the calls using JSON-P. (like the angular-thrift library[1]).
> Since any script can already query the JSON end point and since it less risky
> and simple change I am leaning towards a).
> [~wfarner][~davmclau] and [~kevints] Please weigh in.
> [1] https://github.com/massaroni/angular-thrift
--
This message was sent by Atlassian JIRA
(v6.2#6252)
