New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

In Druid 0.12 there is no endpoint for OPTIONS queries. Thus it is impossible to run CORS queries. #5588

Closed
pguzik opened this Issue Apr 6, 2018 · 3 comments

Comments

Projects
None yet
5 participants
@pguzik

pguzik commented Apr 6, 2018

We receive such HTTP query errors (403 return code):

Request did not have an authorization check performed.: {class=io.druid.server.security.PreResponseAuthorizationCheckFilter, uri=/druid/v2/, method=OPTIONS)

While running CORS HTTP POST query, there is a pre-flight request which is of OPTION type.

Is is missing @options endpoint in QueryResource class

@Dylan1312

This comment has been minimized.

Show comment
Hide comment
@Dylan1312

Dylan1312 Apr 6, 2018

Contributor

The following extensions exists which I believe will enable CORS -> https://github.com/acesinc/druid-cors-filter-extension

Although I'm not sure that it's a common use case because of the security implications of querying Druid directly from the browser.

Contributor

Dylan1312 commented Apr 6, 2018

The following extensions exists which I believe will enable CORS -> https://github.com/acesinc/druid-cors-filter-extension

Although I'm not sure that it's a common use case because of the security implications of querying Druid directly from the browser.

@gianm

This comment has been minimized.

Show comment
Hide comment
@gianm

gianm Apr 6, 2018

Contributor

I presume this worked before (the handling must be built into Jetty)?

Contributor

gianm commented Apr 6, 2018

I presume this worked before (the handling must be built into Jetty)?

@mkuthan

This comment has been minimized.

Show comment
Hide comment
@mkuthan

mkuthan Apr 6, 2018

It worked on version 0.10 with some headers modification on load balancer in front of druid brokers. Load balancer is configured to add CORS headers to all responses so the cors-filter-extension is not needed.

In version 0.12 there is a new PreResponseAuthorizationCheckFilter in the end of filters chain. It checks for AuthConfig.DRUID_AUTHORIZATION_CHECKED servlet context attribute and if the attribute is not set - returns 403.

The problem is that for OPTIONS request there is no handler responsible for setting servlet attribute AuthConfig.DRUID_AUTHORIZATION_CHECKED. Even if the security is not enabled at all.

mkuthan commented Apr 6, 2018

It worked on version 0.10 with some headers modification on load balancer in front of druid brokers. Load balancer is configured to add CORS headers to all responses so the cors-filter-extension is not needed.

In version 0.12 there is a new PreResponseAuthorizationCheckFilter in the end of filters chain. It checks for AuthConfig.DRUID_AUTHORIZATION_CHECKED servlet context attribute and if the attribute is not set - returns 403.

The problem is that for OPTIONS request there is no handler responsible for setting servlet attribute AuthConfig.DRUID_AUTHORIZATION_CHECKED. Even if the security is not enabled at all.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment