-
Notifications
You must be signed in to change notification settings - Fork 24.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reject DELETE requests with a body #21453
Conversation
Hi @brunocvcunha Thanks for the PR. This is slightly more complicated than just outright rejecting DELETE requests with body because the clear scroll API takes a body. I think we need to deprecate that form of the API and support eg |
This change per se would be ok as it only rejects delete api calls with a body. Maybe we should define a better error message, but most important is that other apis should get the same change, pretty much every api that registers a DELETE endpoint:
If all of these API need to change, then we may want to make the change once in |
@clintongormley we also support deleting a scroll by providing the id as a query_string parameter. Isn't that enough? Do we have to add POST with a body? |
@javanna I did not look at the code but delete by query needs a body, right? |
delete by query doesn't seem to be registering a DELETE endpoint anymore, rather a POST. see https://github.com/elastic/elasticsearch/blob/master/modules/reindex/src/main/java/org/elasticsearch/index/reindex/RestDeleteByQueryAction.java#L45 |
oh? Thanks @javanna. I was not aware of that change.
|
No it is not enough, unfortunately. It is quite easy to exceed the HTTP header length with clear-scroll requests against many shards |
Thanks for the suggestions guys. This handler is only registered for the As of the message, I took some others as example, and it follows the same format/level of detail. I could extend the PR to other endpoints, and take a look on how this could be handled by the |
We prefer pull requests against our master branch. |
hi @brunocvcunha thanks for your contribution! The only delete endpoint left that requires a body is clear scroll, which we are going to deprecate in 5.x. We can then make the generic change to I defer to @clintongormley for the error message that we want to return. |
Re the exception message, how about: |
…ndpoint The clear scroll api currently allows to provide a scroll by specifying it either as part of the url (it is effectively the resource that gets deleted) or within the request body. The current api uses the DELETE method though, and we have decided to remove support for providing the request body with any DELETE endpoint in the future. In order to get to this for the next major version, we introduce the new endpoint `POST /_search/clear_scroll` which replaces the current clear_scroll api and uses POST instead of DELETE. It allows to provide the `scroll_id` as a url parameter, which is though deprecated (will output a deprecation warning when used) in favour of providing it as part of the request body. The `DELETE /_search/scroll/` is deprecated, hence it will output a deprecation warning whenever used. The DELETE endpoints will be removed in 6.0, as well as the support for providing the scroll_id as a url parameter against the POST endpoint. Relates to elastic#8217 Relates to elastic#21453
@brunocvcunha Are you interested in updating this PR given the suggestions made? |
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
Apologies, I see now you already made the suggested wording change. In the future, you should ping reviewers after updating a PR. @elasticmachine test this please |
Ah, @brunocvcunha if you are still interested in this change, can you cherry pick to master and force push to this branch? |
why did you close this @martijnvg ? |
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
I get that this has been stalled for a long time, but do we have any chance of un-stalling it? Should we start fresh on the issue once we've unblocked the prerequisites? @brunocvcunha, are you still interested in this after all this time? |
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
No additional feedback, closing. |
According to issues #8217 and #5960, DELETE requests that contains a body should be rejected.