mgr/dashboard: allow cross origin when the url is set

[nizamial09]

Allow CORS when the cross_origin_url is set in the config opt.

you have to update the cross_origin_url setting with the url of the
requesting entity.

The request needs to have the header Access-Control-Allow-Origin
with the origin URL

The url can be set using this command
ceph config set mgr mgr/dashboard/cross_origin_url http://localhost:4200

multiple urls can be set as
ceph config set mgr mgr/dashboard/cross_origin_url http://localhost:4200,http://localhost:4201

If multiple url is provided in the configuration option, then whatever
url is there in the Access-Control-Allow-Origin request header will be
allowed for CORS

Once the URL is set you have to restart the dashboard module to restart
the cherrypy server with the new CORS policies

Fixes: https://tracker.ceph.com/issues/58086
Signed-off-by: Nizamudeen A nia@redhat.com

Contribution Guidelines

• To sign and title your commits, please refer to Submitting Patches to Ceph.

• If you are submitting a fix for a stable branch (e.g. "pacific"), please refer to Submitting Patches to Ceph - Backports for the proper workflow.

Checklist

• Tracker (select at least one)
  • References tracker ticket
  • Very recent bug; references commit where it was introduced
  • New feature (ticket optional)
  • Doc update (no ticket needed)
  • Code cleanup (no ticket needed)
• Component impact
  • Affects Dashboard, opened tracker ticket
  • Affects Orchestrator, opened tracker ticket
  • No impact that needs to be tracked
• Documentation (select at least one)
  • Updates relevant documentation
  • No doc update is appropriate
• Tests (select at least one)
  • Includes unit test(s)
  • Includes integration test(s)
  • Includes bug reproducer
  • No tests

Show available Jenkins commands

• jenkins retest this please
• jenkins test classic perf
• jenkins test crimson perf
• jenkins test signed
• jenkins test make check
• jenkins test make check arm64
• jenkins test submodules
• jenkins test dashboard
• jenkins test dashboard cephadm
• jenkins test api
• jenkins test docs
• jenkins render docs
• jenkins test ceph-volume all
• jenkins test ceph-volume tox
• jenkins test windows

[nizamial09]

jenkins test dashboard

[nizamial09]

jenkins test make check

[nizamial09]

jenkins test dashboard

[avanthakkar]

LGTM!

[pereman2]

LGTM

[epuertat]

LGTM! Besides the request handler code reduction, another thing to consider would be to extend the code in the main module following some pattern, like the supported 'plugin' pattern. Currently the module.py is 600 lines, and the plugin approach allows to decouple code from the main module and just use 'hooks' to extend current functionality.

If you guys need any guidance with that, plz let me know and I'll tell you more about the Dashboard plugin framework.

[epuertat]

Every request handler will be executed once per request (and requests are one of the scaling factors of webservers). Therefore it's essential to keep them simple and remove any processing that it's strictly not mandatory. The fact that every HTTP request requires to interact with the ceph-mgr API might result in a DoS vulnerability (unauthenticated users might send thousands of dummy HTTP requests and cause a performance degradation in the ceph-mgr). I remember that get_module_option calls are cached and don't end up hitting the ceph-mon, but even though it's healthy not to risk that.

My recommendation here would be to remove the get_localized_module_option() (BTW, get_module_option() would be enough, since there's no reason to configure different CORS setting per active manager) and pass that fixed param to the cors_tool(self, cross_origin_list) and then configured as 'tools.cors_tool.cross_origin_list': '...'.