[#42] feat(server-common): Support cors filter #1238
Conversation
docs/security.md
Outdated
| | `gravitino.auxService.iceberg-rest.allowedHeaders` | A comma separated list of HTTP headers that are allowed to be specified when accessing the resources. Default value is X-Requested-With,Content-Type,Accept,Origin. If the value is a single *, this means that any headers will be accepted. | `X-Requested-With,Content-Type,Accept,Origin` | No | 0.4.0 | | ||
| | `gravitino.auxService.iceberg-rest.preflightMaxAge` | The number of seconds that preflight requests can be cached by the client. Default value is 1800 seconds, or 30 minutes. | `1800` | No | 0.4.0 | | ||
| | `gravitino.auxService.iceberg-rest.allowCredentials` | A boolean indicating if the resource allows requests with credentials. Default value is true. | `true` | No | 0.4.0 | | ||
| | `gravitino.auxService.iceberg-rest.exposedHeaders` | A comma separated list of HTTP headers that are allowed to be exposed on the client. Default value is the empty list. | `` | No | 0.4.0 | |
There was a problem hiding this comment.
I noticed that Server configuration and Iceberg REST service's configuration are almost the same, can we merge them into one and say 'Iceberg rest are the same, the difference is that the prefix of configuration key is ....'
There was a problem hiding this comment.
Maybe it's will be difficult for users.
docs/security.md
Outdated
| | `gravitino.server.webserver.allowedTimingOrigins` | A comma separated list of origins that are allowed to time the resource. Default value is the empty string, meaning no origins. | `` | No | 0.4.0 | | ||
| | `gravitino.server.webserver.allowedMethods` | a comma separated list of HTTP methods that are allowed to be used when accessing the resources. Default value is GET,POST,HEAD,DELETE. | `GET,POST,HEAD,DELETE` | No | 0.4.0 | | ||
| | `gravitino.server.webserver.allowedHeaders` | A comma separated list of HTTP headers that are allowed to be specified when accessing the resources. Default value is X-Requested-With,Content-Type,Accept,Origin. If the value is a single *, this means that any headers will be accepted. | `X-Requested-With,Content-Type,Accept,Origin` | No | 0.4.0 | | ||
| | `gravitino.server.webserver.preflightMaxAge` | The number of seconds that preflight requests can be cached by the client. Default value is 1800 seconds, or 30 minutes. | `1800` | No | 0.4.0 | |
There was a problem hiding this comment.
preflight is pre + flight or perf + light? The meaning of preflight is?
There was a problem hiding this comment.
pre + flight. This word is from the Jetty.
There was a problem hiding this comment.
It would be better to change to "gravitino.server.webserver.preflightMaxAgeInSecs"
| .createWithDefault("X-Requested-With,Content-Type,Accept,Origin"); | ||
|
|
||
| public static final ConfigEntry<Integer> PREFLIGHT_MAX_AGE = | ||
| new ConfigBuilder("preflightMaxAge") |
There was a problem hiding this comment.
preflightMaxAge -> preflightMaxAgeInSecs
docs/security.md
Outdated
| |---------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------|----------|---------------| | ||
| | `gravitino.server.webserver.enableCorsFilter` | Enable cross origin resource share filter. | false | No | 0.4.0 | | ||
| | `gravitino.server.webserver.allowedOrigins` | A comma separated list of origins that are allowed to access the resources. Default value is *, meaning all origins. | `*` | No | 0.4.0 | | ||
| | `gravitino.server.webserver.allowedTimingOrigins` | A comma separated list of origins that are allowed to time the resource. Default value is the empty string, meaning no origins. | `` | No | 0.4.0 | |
There was a problem hiding this comment.
What' the meaning of "time the resource"?
There was a problem hiding this comment.
This should a term of HTTP. time the resource should mean that get metrics time from the server.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Timing-Allow-Origin
docs/security.md
Outdated
| | `gravitino.server.webserver.allowedTimingOrigins` | A comma separated list of origins that are allowed to time the resource. Default value is the empty string, meaning no origins. | `` | No | 0.4.0 | | ||
| | `gravitino.server.webserver.allowedMethods` | a comma separated list of HTTP methods that are allowed to be used when accessing the resources. Default value is GET,POST,HEAD,DELETE. | `GET,POST,HEAD,DELETE` | No | 0.4.0 | | ||
| | `gravitino.server.webserver.allowedHeaders` | A comma separated list of HTTP headers that are allowed to be specified when accessing the resources. Default value is X-Requested-With,Content-Type,Accept,Origin. If the value is a single *, this means that any headers will be accepted. | `X-Requested-With,Content-Type,Accept,Origin` | No | 0.4.0 | | ||
| | `gravitino.server.webserver.preflightMaxAge` | The number of seconds that preflight requests can be cached by the client. Default value is 1800 seconds, or 30 minutes. | `1800` | No | 0.4.0 | |
There was a problem hiding this comment.
It would be better to change to "gravitino.server.webserver.preflightMaxAgeInSecs"
| public static final ConfigEntry<String> ALLOWED_HEADERS = | ||
| new ConfigBuilder("allowedHeaders") | ||
| .doc( | ||
| "A comma separated list of HTTP headers that are allowed to be specified when accessing the resources. Default value is X-Requested-With,Content-Type,Accept,Origin. If the value is a single *, this means that any headers will be accepted.") |
There was a problem hiding this comment.
The code line seems too long, is it ok for spotless check?
There was a problem hiding this comment.
Yes, I used spotless to format the file.
There was a problem hiding this comment.
I would suggest to limit the line length to 100 words.
| public static final ConfigEntry<String> ALLOWED_TIMING_ORIGINS = | ||
| new ConfigBuilder("allowedTimingOrigins") | ||
| .doc( | ||
| "A comma separated list of origins that are allowed to time the resource. Default value is the empty string, meaning no origins.") |
| new ConfigBuilder("enableCorsFilter") | ||
| .doc("Enable cross origin resource share filter") | ||
| .version("0.4.0") | ||
| .booleanConf() |
There was a problem hiding this comment.
Why don't you have checkValue here?
8cbdea7 to
561312d
Compare
| public static final ConfigEntry<String> ALLOWED_HEADERS = | ||
| new ConfigBuilder("allowedHeaders") | ||
| .doc( | ||
| "A comma separated list of HTTP headers that are allowed to be specified when accessing the resources. Default value is X-Requested-With,Content-Type,Accept,Origin. If the value is a single *, this means that any headers will be accepted.") |
There was a problem hiding this comment.
I would suggest to limit the line length to 100 words.
| FilterHolder filterHolder = new FilterHolder(); | ||
| filterHolder.setClassName(CrossOriginFilter.class.getName()); | ||
| filterHolder.setInitParameter( | ||
| JettyServerConfig.ALLOWED_ORIGINS.getKey(), config.getAllowedOrigins()); |
There was a problem hiding this comment.
Will this cors filter check the validity of the configuration? For example, if the configuration is not legal or have additional/trailing whitespace.
There was a problem hiding this comment.
No, this cors filter check less things. Only check int type whether can be parsed to Integer.
| import org.eclipse.jetty.servlet.FilterHolder; | ||
| import org.eclipse.jetty.servlets.CrossOriginFilter; | ||
|
|
||
| class CorsFilterHelper { |
There was a problem hiding this comment.
I would suggest renaming this class to CorsFilterHolder
|
|
||
| private CorsFilterHelper() {} | ||
|
|
||
| public static FilterHolder createCorsFilterHolder(JettyServerConfig config) { |
There was a problem hiding this comment.
And you can simplify the method name to create to remove duplication with class name.
| @@ -253,15 +259,17 @@ public final class JettyServerConfig { | |||
| public static final ConfigEntry<String> EXPOSED_HEADERS = | |||
| new ConfigBuilder("exposedHeaders") | |||
| .doc( | |||
| "A comma separated list of HTTP headers that are allowed to be exposed on the client. Default value is the empty list") | |||
| "A comma separated list of HTTP headers that are allowed to be exposed on the client." | |||
There was a problem hiding this comment.
I think you miss a whitespace when you fold the sentence into two lines. Not just here, but also in the above code.
What changes were proposed in this pull request?
I wrap the cors filter of Jetty as our system internal filter. Most default values respect the default values of the cors filter of Jetty. I only change the default value of
AllowMethods.The origin default value isPUT,GET,POST,HEAD. Because we usually useDELETEmethod, too. I change it toPUT,GET,POST,HEAD,DELETE.Why are the changes needed?
Fix: #42
Does this PR introduce any user-facing change?
yes, I have added the document.
How was this patch tested?
UT + manual test