[jira] [Assigned] (HDDS-14386) Support bucket CORS configuration

Sat, 14 Mar 2026 19:59:08 -0700 


     [ 
https://issues.apache.org/jira/browse/HDDS-14386?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ivan Andika reassigned HDDS-14386:
----------------------------------

    Assignee: Ivan Andika

> Support bucket CORS configuration
> ---------------------------------
>
>                 Key: HDDS-14386
>                 URL: https://issues.apache.org/jira/browse/HDDS-14386
>             Project: Apache Ozone
>          Issue Type: Sub-task
>            Reporter: Ivan Andika
>            Assignee: Ivan Andika
>            Priority: Major
>
> Currently, Ozone does not support per-bucket CORS configuration. This means 
> that the CORS configuration is only decided on the reverse proxy that we use 
> (e.g. nginx , HAProxy, etc).
> We can implement per-bucket CORS configuration 
> ([https://docs.aws.amazon.com/AmazonS3/latest/userguide/cors.html)] by adding 
> CORS configuration to OmBucketInfo in OM DB.
> The create flow looks something like 
>  * User uses the S3 API to create the CORS configuration 
> ([https://docs.aws.amazon.com/AmazonS3/latest/userguide/enabling-cors-examples.html)]
>  * S3G parse the request and send the request to OM
>  * OM will update the OmBucketInfo with the CORS policy
> Since S3G will call getBucket for most S3 requests, we can return the CORS 
> policy as part of OzoneBucket and use that to decide on  the CORS response 
> headers (e.g. Access-Control-Allow-Origin, etc) to return. We can then use 
> the bucket CORS configuration instead of CORS policy from the reverse proxy.
> For reference, NGINX CORS configuration can look like this
> {code:java}
> if ($http_origin ~ '^http[s]*://(.*)') {
>     set $cors 'cors';
>     add_header 'Access-Control-Allow-Origin' $http_origin always;
>     add_header 'Access-Control-Allow-Credentials' 'true' always;
>     add_header 'Access-Control-Allow-Methods' 'PUT, GET, POST, HEAD, DELETE, 
> PATCH, OPTIONS' always;
>     add_header 'Access-Control-Allow-Headers' 
> $http_access_control_request_headers always;
>     add_header 'Access-Control-Expose-Headers' 'ETag' always;
> }
> if ($request_method = 'OPTIONS') {
>     set $cors '${cors}_options';
> }
> if ($cors = 'cors_options') {
>     add_header 'Access-Control-Allow-Origin' $http_origin always;
>     add_header 'Access-Control-Allow-Credentials' 'true' always;
>     add_header 'Access-Control-Allow-Methods' 'PUT, GET, POST, HEAD, DELETE, 
> PATCH, OPTIONS' always;
>     add_header 'Access-Control-Allow-Headers' 
> $http_access_control_request_headers always;
>     add_header 'Access-Control-Expose-Headers' 'ETag' always;
>     return 204;
> } {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to