Github user steveloughran commented on the issue:
https://github.com/apache/spark/pull/13218
I can see there is fear of breaking things, especially with third party
clients. There's also the risk of cross-version submissions; the REST API is
meant to be stable enough for backwards compatibility. Adding a mandatory new
header will break things.
At the same time, its something to defend against.
What about having
1. the clients always send the header.
1. the server having the option to install the filter.
1. the security docs discussing this.
1. the REST API docs pointing to that section.
With the clients alway posting the header, they're going to work with
endpoints where the filter is turned on, and yet still work with those turned
off. The biggest impact here is that 1+ test case of the REST API will have to
turn on that filter, others will need to have it disabled, so that both
submission paths can be checked.
There's a side issue: should OPTIONS and TRACE be allowed anyway? They're
generally filtered on the basis that all they can do is expose unintentional
security holes. That said, Hadoop SPNEGO auth usually does an OPTIONS Call to
open the negotiation over a new ticket âpurely because it is so harmless in
day-today-HTTP.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
