Is this some bug in Storm? If so, how could we file bugs for the community?
Xiaoyong From: Joe Zhang (SDE) [mailto:[email protected]] Sent: Wednesday, December 24, 2014 4:17 PM To: [email protected] Subject: RE: Missing CSRF token error when trying to use POST operations of Storm Rest API I do some more investigate about the random error I find some x-csrf-token getting from the first http get request contains “\/”, for example “\/dE\/k8N5H0Ora1IY9UAfx3fc7M4b0EZOMbWUXdUNn9IitAjOhmup+OiHx\/v5W+kUuWu4TkBsFsfvd7Km” If I replace \/ with / and this should be /dE/k8N5H0Ora1IY9UAfx3fc7M4b0EZOMbWUXdUNn9IitAjOhmup+OiHx/v5W+kUuWu4TkBsFsfvd7Km, It can run the second post request successfully~ Best wishes Joe zhang From: Joe Zhang (SDE) [mailto:[email protected]] Sent: Wednesday, December 24, 2014 3:53 PM To: [email protected]<mailto:[email protected]> Subject: RE: Missing CSRF token error when trying to use POST operations of Storm Rest API By the way, I find another thing: If I keep the x-csrf-token and the cookie and then I use the same x-csrf-token and the cookie saved when I do the post request(activate or deactivate ) every time , will the save token or cookie be expired?? I also do anther experiment , for every post request , I will try get the different x-csrf-token and cookie using the get http://localhost:8080/api/v1/topology/wordcount-1-1419399960,it will failed randomly and return the error of { "error" : "Forbidden action.", "errorMessage" : "missing CSRF token." } Best wishes Joe zhang From: Joe Zhang (SDE) [mailto:[email protected]] Sent: Wednesday, December 24, 2014 3:23 PM To: [email protected]<mailto:[email protected]> Subject: RE: Missing CSRF token error when trying to use POST operations of Storm Rest API I can run it successully , thanks for your investigate Best wishes Joe zhang From: Harsha [mailto:[email protected]] Sent: Wednesday, December 24, 2014 1:57 PM To: [email protected]<mailto:[email protected]> Subject: Re: Missing CSRF token error when trying to use POST operations of Storm Rest API Hi Joe, This is what I tried and it worked for me. curl -i -b ~/cookiejar.txt -c ~/cookiejar.txt http://localhost:8080/api/v1/topology/wordcount-1-1419399960 from the above the request I take antiForgeryToken curl -i -b ~/cookiejar.txt -c ~/cookiejar.txt -X POST -H 'x-csrf-token:aB5nEmd7TsQOeluQpRXqKo6rLfFDw3h+L4RwKGe7zVbhzMV9tJeX3bHu+Sh0vLa+vkbo71Rq2VoXfj4c' http://localhost:8080/api/v1/topology/wordcount-1-1419399960/deactivate The second curl request will succeed and will give you a 302 which is a bug on the UI rest api part but above request will work. -Harsha On Tue, Dec 23, 2014, at 09:07 PM, Parth Brahmbhatt wrote: I am not sure why the command won’t work for you. If you want to see the actual post request from your browser you can follow the following steps: In Chrome, Click on the settings button (its on the top right corner) Settings -> More tools -> Developer Tools. On the developer tool bar click on the Network tab and check the "Preserve log” check box. Now navigate to a topology and click activate. In the network tab you will see a post request for activate. Right Click on that and you will see a copy as curl option. This should give you the complete curl command. You can remove everything but the x-csrf-token and ring-session and see if the request succeeds. Thanks Parth On Dec 23, 2014, at 8:46 PM, Joe Zhang (SDE) <[email protected]<mailto:[email protected]>> wrote: I have passed both csrf token and the ring-session Ids as the second request head, but It still has this issue ~ But I can deactivate the topology using the Storm UI Best wishes Joe zhang From:Parth Brahmbhatt [mailto:[email protected]] Sent:Wednesday, December 24, 2014 12:33 PM To:Joe Zhang (SDE) Cc:[email protected]<mailto:[email protected]> Subject:Re: Missing CSRF token error when trying to use POST operations of Storm Rest API Sorry for the confusion here is how its working on my desktop. First I make a get call with curl and write the cookie to a file: curl -c cookies.txt 'http://localhost:8080/api/v1/topology/wordcount-2-1419393872?sys=false' I copy the "antiForgeryToken":"UtBiKWAewurAl+QZNQLPCY969YBPMRdrxGhOB9yL35sXzFRNQLIOOMi6kSg9yIAT5NLdRz0VF2iCdmEc” value from the response and the “ring-session c6880c5b-1651-412a-962b-763bba966d4e" value from cookies.txt file. Using these two values I make a post request : curl 'http://localhost:8080/api/v1/topology/wordcount-2-1419393872/deactivate'-X POST -H 'x-csrf-token: UtBiKWAewurAl+QZNQLPCY969YBPMRdrxGhOB9yL35sXzFRNQLIOOMi6kSg9yIAT5NLdRz0VF2iCdmEc' -H 'Cookie: ring-session=c6880c5b-1651-412a-962b-763bba966d4e’ Note that both csrf token and the ring-session Ids are passed as headers. Let me know if this still does not work for you. Thanks Parth On Dec 23, 2014, at 7:37 PM, Joe Zhang (SDE) <[email protected]<mailto:[email protected]>> wrote: Try using this curl 'http://localhost:8080/api/v1/topology/wordcount-1-1417552268/deactivate<http://www.google.com/url?q=http%3A%2F%2Flocalhost%3A8080%2Fapi%2Fv1%2Ftopology%2Fwordcount-1-1417552268%2Fdeactivate&sa=D&sntz=1&usg=AFQjCNHoQwJSyBCU7x5ZJ2c6b4r18gkRtw>' -X POST -H 'x-csrf-token: K7RAB7TXD579g4JCs2hK6S0bxP35x8IZB4uFZqueT1eqj451+pvz0b7BGvFi2DZ2HKLenCJQTSE5hSlE'-H'Cookie:csrftoken=64142f8e6fc9f9bedc70b15aef657ef4; ring-session=e1c4715f-e3d3-47e1-8573-1f736cefdb34' The high light is the filed I get from response filed antiForgeryToken, butCookie:csrftoken also need a csrftoken, what I mean is where can I get this?? Best wishes Joe zhang From:Parth Brahmbhatt [mailto:[email protected]] Sent:Wednesday, December 24, 2014 11:18 AM To:Joe Zhang (SDE) Cc:[email protected]<mailto:[email protected]> Subject:Re: Missing CSRF token error when trying to use POST operations of Storm Rest API any get request that you make will have a field called antiForgeryToken in response. The value of this field should be sent as csrfToken. Thanks Parth On Dec 23, 2014, at 6:39 PM, Joe Zhang (SDE) <[email protected]<mailto:[email protected]>> wrote: How can I get theCookie:csrftoken=64142f8e6fc9f9bedc70b15aef657ef4 ?? Best wishes Joe zhang From:Parth Brahmbhatt [mailto:[email protected]] Sent:Wednesday, December 24, 2014 12:49 AM To:[email protected]<mailto:[email protected]> Cc:Joe Zhang (SDE) Subject:Re: Missing CSRF token error when trying to use POST operations of Storm Rest API Hey, Try using this curl 'http://localhost:8080/api/v1/topology/wordcount-1-1417552268/deactivate<http://www.google.com/url?q=http%3A%2F%2Flocalhost%3A8080%2Fapi%2Fv1%2Ftopology%2Fwordcount-1-1417552268%2Fdeactivate&sa=D&sntz=1&usg=AFQjCNHoQwJSyBCU7x5ZJ2c6b4r18gkRtw>' -X POST -H 'x-csrf-token: K7RAB7TXD579g4JCs2hK6S0bxP35x8IZB4uFZqueT1eqj451+pvz0b7BGvFi2DZ2HKLenCJQTSE5hSlE' -H'Cookie:csrftoken=64142f8e6fc9f9bedc70b15aef657ef4; ring-session=e1c4715f-e3d3-47e1-8573-1f736cefdb34' On Mon, Dec 22, 2014 at 10:23 PM, Xiaoyong Zhu <[email protected]<mailto:[email protected]>> wrote: Hi Storm experts, My colleague and I are trying to using the REST API to active or detactive storm topology using C# Httpclient. Unfortunately , no matter how we tried, Storm returns the same error : { "error" : "Forbidden action.", "errorMessage" : "missing CSRF token." } We notice that“ All the post requests below must include a header "x-csrf-token" with the value of "antiForgeryToken" from the GET response”, but we still hit this error. Below is my code: <1> First Get CSRF Token string requestUrl = "http://127.0.0.1:8744/api/v1/topology/my_word_count-4-1417592340";; HttpServerBroker serverBroker = new HttpServerBroker(null, null); string jsonResult = serverBroker.GetHttpRequestResult(requestUrl, "GET"); <2> Using the token do the post request HttpServerBroker serverBroker = new HttpServerBroker(null, token); string requestUrl = "http://127.0.0.1:8744/api/v1/topology/my_word_count-4-1417592340/deactivate";; string jsonResult = serverBroker.GetHttpRequestResult(requestUrl, "POST"); public class HttpServerBroker { // In order to prevent CSRF vulnerability, storm rest API uses a CSRF token private readonly string _antiForgeryToken; private ICredentials _credentials; public HttpServerBroker(ICredentials credentials, string antiForgeryToken) { _credentials = credentials; _antiForgeryToken = antiForgeryToken; } public string GetHttpRequestResult(string requestUrl, string method, string contentType = "application/x-www-form-urlencoded", string strPostData = null) { string httpResultString = null; HttpWebRequest httpRequest = this.GenerateHttpRequest(requestUrl, contentType, method, strPostData); using (HttpWebResponse response = (HttpWebResponse)httpRequest.GetResponse()) { using (Stream responseStream = response.GetResponseStream()) { if (responseStream != null) { using (StreamReader reader = new StreamReader(responseStream)) { httpResultString = reader.ReadToEnd(); } } } } return httpResultString; } public HttpWebRequest GenerateHttpRequest(string requestUrl, string contentType, string method, string strPostData) { HttpWebRequest request = (HttpWebRequest)WebRequest.Create(requestUrl); request.ContentType = contentType; request.Method = method; if (!String.IsNullOrWhiteSpace(_antiForgeryToken)) { request.Headers.Add("x-csrf-token", _antiForgeryToken.Trim()); } // This is necessary since during NTLM authentication with the // auth server, a session ID is passed around in a cookie. This // cookie will not be passed correctly during authentication if // a cookie container is not specified as cookies are disabled // by default. request.CookieContainer = new CookieContainer(); return request; } } Any help will be appreciated! Thanks! Xiaoyong & Joe -- Thanks Parth CONFIDENTIALITY NOTICE NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You. CONFIDENTIALITY NOTICE NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You. CONFIDENTIALITY NOTICE NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You. CONFIDENTIALITY NOTICE NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You.
