Hi John,
All good points!
How comfortable are you with Java? The current REST API evolved organically
based on the needs of the web UI. While we could wait for a REST re-design, we
could also move forward just adding the messages you need — especially if you
can contribute the code.
The code is in org.apache.drill.exec.server.rest.LogInLogOutResources. This is
a mercifully short file. The login page message itself is one line of actual
code:
@POST
@Path("/login")
@Produces(MediaType.TEXT_HTML)
public Viewable getLoginPageAfterValidationError() {
return ViewableWithPermissions.createLoginPage("Invalid username/password
credentials.");
}
Seems simple enough to change above method to add the HTTP status to the
generated web page; the browser won’t care.
The web framework Drill uses is quite rich (mucked about with it a year ago,
but have gotten rusty since.) There is an easy way to indicate the HTTP status;
I just can’t remember what it is…
Anyone else remember how to set the return status in a Jetty response?
Thanks,
- Paul
> On Jul 7, 2017, at 5:48 AM, John Omernik <[email protected]> wrote:
>
> Hello all, I recently setup some notebooks using the Rest API.
>
> I found that I was using Drill 1.8, and my code for determining
> authentication in Python, while hacky, worked... What I found is using
> python requests, when I posted to j_security check, the requests object
> almost always returned a HTTP 200.
>
> If it was a bad username/password, I parsed the page and looked for that
> text. In 1.8, if login was successful the string "Number of Drill Bits"
> appeared on in the response text. From the requests module perspective,
> both used HTTP 200 as a status code. However, on a successful login, Drill
> actually sends a HTTP 303 that goes to / and apparently requests auto grabs
> that request like nothing happened. Never telling me, the programmer about
> the 303.
>
> However, in Drill 1.10, the UI for the / page improved, and likely, the
> string "Number of Drill Bits" was removed. This made it so I now had to
> reprogram my auth code to handle it better.
>
> So here I am, What IS the best way to determine programmatically in a way
> that will remain stable if login was successful. Obviously string parsing
> is prone to error and can be changed. I tried checking for the presence of
> a JSESSIONID but that can show up either way.
>
> So what is the "right" way to indicate login is successful? Could we do
> something better with response codes? I know having the Form seems to make
> sense, but could we just use basic authentication and set the header with
> the form? That way, we could issue single queries with basic auth and get a
> Unauthorized if the authentication didn't work. I don't know if I have an
> answer, but I do know that working with the Rest API isn't all that
> intuitive, it should be easier to tell if login was successful... I am
> interested in the thoughts of others here.
>
> John
>
>
>
>
>
>
>
> (Code)
> def authDrill(self):
> url = self.drill_base_url + "/j_security_check"
> login = {'j_username': self.drill_user, 'j_password':
> self.drill_pass}
>
> verify = "/etc/ssl/certs/ca-certificates.crt"
>
> if self.drill_pin_to_ip == True:
> verify = False
>
> requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
> else:
> verify = "/etc/ssl/certs/ca-certificates.crt"
>
> r = self.session.post(url, data=login, headers=self.drill_headers,
> verify=verify)
> if r.status_code == 200:
> if r.text.find("Invalid username/password credentials") >= 0:
> raise Exception("Invalid username/password credentials")
> elif r.text.find("Number of Drill Bits") >= 0:
> pass
> else:
> raise Exception("Unknown HTTP 200 Code: %s" % r.text)
> else:
> raise Exception("Status Code: %s - Error" % r.status_code)
> return self.session
