[
https://issues.apache.org/jira/browse/HDDS-14386?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ivan Andika updated HDDS-14386:
-------------------------------
Description:
Currently, Ozone does not support per-bucket CORS configuration (it depends on
the reverse proxy).
We can implement per-bucket CORS configuration
([https://docs.aws.amazon.com/AmazonS3/latest/userguide/cors.html)] .
The create flow looks something like
* User uses the S3 API to create the CORS configuration
([https://docs.aws.amazon.com/AmazonS3/latest/userguide/enabling-cors-examples.html)]
* S3G parse the request and send the request to OM
* OM will update the OmBucketInfo with the CORS policy
Since S3G will call getBucket, we can return the CORS policy as part of
OzoneBucket and use that to create the CORS response.
For reference, NGINX CORS configuration can look like this to allow S3G to be
compatible with CORS.
{code:java}
if ($http_origin ~ '^http[s]*://(.*)') {
set $cors 'cors';
add_header 'Access-Control-Allow-Origin' $http_origin always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'PUT, GET, POST, HEAD, DELETE,
PATCH, OPTIONS' always;
add_header 'Access-Control-Allow-Headers'
$http_access_control_request_headers always;
add_header 'Access-Control-Expose-Headers' 'ETag' always;
}
if ($request_method = 'OPTIONS') {
set $cors '${cors}_options';
}
if ($cors = 'cors_options') {
add_header 'Access-Control-Allow-Origin' $http_origin always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'PUT, GET, POST, HEAD, DELETE,
PATCH, OPTIONS' always;
add_header 'Access-Control-Allow-Headers'
$http_access_control_request_headers always;
add_header 'Access-Control-Expose-Headers' 'ETag' always;
return 204;
} {code}
was:
Ozone does not support per-bucket CORS configuration (it depends on the reverse
proxy), but it is good to document the CORS configuration.
Nginx CORS configuration can look like this
{code:java}
if ($http_origin ~ '^http[s]*://(.*)') {
set $cors 'cors';
add_header 'Access-Control-Allow-Origin' $http_origin always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'PUT, GET, POST, HEAD, DELETE,
PATCH, OPTIONS' always;
add_header 'Access-Control-Allow-Headers'
$http_access_control_request_headers always;
add_header 'Access-Control-Expose-Headers' 'ETag' always;
}
if ($request_method = 'OPTIONS') {
set $cors '${cors}_options';
}
if ($cors = 'cors_options') {
add_header 'Access-Control-Allow-Origin' $http_origin always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'PUT, GET, POST, HEAD, DELETE,
PATCH, OPTIONS' always;
add_header 'Access-Control-Allow-Headers'
$http_access_control_request_headers always;
add_header 'Access-Control-Expose-Headers' 'ETag' always;
return 204;
} {code}
For HAProxy configuration we can check
[https://github.com/haproxytech/haproxy-lua-cors]
Alternatively, we can implement CORS in S3G instead.
> Document the recommended S3G CORS configuration
> -----------------------------------------------
>
> Key: HDDS-14386
> URL: https://issues.apache.org/jira/browse/HDDS-14386
> Project: Apache Ozone
> Issue Type: Sub-task
> Reporter: Ivan Andika
> Assignee: Ivan Andika
> Priority: Major
>
> Currently, Ozone does not support per-bucket CORS configuration (it depends
> on the reverse proxy).
> We can implement per-bucket CORS configuration
> ([https://docs.aws.amazon.com/AmazonS3/latest/userguide/cors.html)] .
> The create flow looks something like
> * User uses the S3 API to create the CORS configuration
> ([https://docs.aws.amazon.com/AmazonS3/latest/userguide/enabling-cors-examples.html)]
> * S3G parse the request and send the request to OM
> * OM will update the OmBucketInfo with the CORS policy
> Since S3G will call getBucket, we can return the CORS policy as part of
> OzoneBucket and use that to create the CORS response.
> For reference, NGINX CORS configuration can look like this to allow S3G to be
> compatible with CORS.
> {code:java}
> if ($http_origin ~ '^http[s]*://(.*)') {
> set $cors 'cors';
> add_header 'Access-Control-Allow-Origin' $http_origin always;
> add_header 'Access-Control-Allow-Credentials' 'true' always;
> add_header 'Access-Control-Allow-Methods' 'PUT, GET, POST, HEAD, DELETE,
> PATCH, OPTIONS' always;
> add_header 'Access-Control-Allow-Headers'
> $http_access_control_request_headers always;
> add_header 'Access-Control-Expose-Headers' 'ETag' always;
> }
> if ($request_method = 'OPTIONS') {
> set $cors '${cors}_options';
> }
> if ($cors = 'cors_options') {
> add_header 'Access-Control-Allow-Origin' $http_origin always;
> add_header 'Access-Control-Allow-Credentials' 'true' always;
> add_header 'Access-Control-Allow-Methods' 'PUT, GET, POST, HEAD, DELETE,
> PATCH, OPTIONS' always;
> add_header 'Access-Control-Allow-Headers'
> $http_access_control_request_headers always;
> add_header 'Access-Control-Expose-Headers' 'ETag' always;
> return 204;
> } {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
