[#1190] feat(server-common): Support custom filters #1191
Conversation
qqqttt123
changed the title
| @@ -245,8 +255,11 @@ private JettyServerConfig(Map<String, String> configs) { | |||
| Sets.newHashSet(internalConfig.get(ENABLE_CIPHER_ALGORITHMS).split(SPLITTER))); | |||
| this.enableClientAuth = internalConfig.get(ENABLE_CLIENT_AUTH); | |||
| this.trustStorePath = internalConfig.get(SSL_TRUST_STORE_PATH); | |||
| this.trustStorePasword = internalConfig.get(SSL_TRUST_STORE_PASSWORD); | |||
| this.trustStorePassword = internalConfig.get(SSL_TRUST_STORE_PASSWORD); | |||
There was a problem hiding this comment.
An unrelated typo. Just fix by the way.
| @@ -330,14 +343,18 @@ public String getTrustStorePath() { | |||
| return trustStorePath; | |||
| } | |||
|
|
|||
| public String getTrustStorePasword() { | |||
| return trustStorePasword; | |||
| public String getTrustStorePassword() { | |||
There was a problem hiding this comment.
An unrelated typo. Just fix by the way.
qqqttt123
changed the title
docs/security.md
Outdated
| ### Iceberg REST service's configuration | ||
| | Configuration item | Description | Default value | Required | Since version | | ||
| |-----------------------------------------------------|--------------------------------------------------------------------|---------------|-----------|---------------| | ||
| | `gravitino.auxService.iceberg-rest.customFilters` | Comma separated list of filter class names to apply to the APIs. | `` | Yes | 0.4.0 | |
There was a problem hiding this comment.
Why is the default value `` and it's a required value?
There was a problem hiding this comment.
Require value means that the value can't be null. It's ok to use `` as the value. It means that we don't use any filter.
There was a problem hiding this comment.
I have the same question, Required means user must fillup this field or the program couldn't startup as I understand.
There was a problem hiding this comment.
Required means that this field can't be null.
There was a problem hiding this comment.
I have the same question,
Requiredmeans user must fillup this field or the program couldn't startup as I understand.
According to your standard, gravitino.auxService.iceberg-rest.catalog-backend isn't a required field. But you choose it as a required field.
There was a problem hiding this comment.
Following the previous document specification, we use "(none)" to indicate no default value.
JDBC catalog:
Hive catalog:
There was a problem hiding this comment.
OK, I see other documents follow this standard. I will change this.
There was a problem hiding this comment.
#1214 I raised another pr to fix the comments in other places.
If this config option has default value, this config option is not required.
docs/security.md
Outdated
| |-----------------------------------------------------|--------------------------------------------------------------------|---------------|-----------|---------------| | ||
| | `gravitino.auxService.iceberg-rest.customFilters` | Comma separated list of filter class names to apply to the APIs. | `` | Yes | 0.4.0 | | ||
| The filter should be a standard javax servlet Filter. | ||
| Filter parameters can also be specified in the configuration, by setting config entries of the form `gravitino.auxService.iceberg-rest.<class name of filter>.param.<param name>=<value>` |
There was a problem hiding this comment.
The key seems to be too long, can we shorten it?
There was a problem hiding this comment.
Refer to Spark's way. I have no better idea.
docs/security.md
Outdated
| | Configuration item | Description | Default value | Required | Since version | | ||
| |---------------------------------------------|------------------------------------------------------------------|---------------|-----------|---------------| | ||
| | `gravitino.server.webserver.customFilters` | Comma separated list of filter class names to apply to the APIs. | `` | Yes | 0.4.0 | | ||
| The filter should be a standard javax servlet Filter. |
There was a problem hiding this comment.
Please add an empty line here.
docs/security.md
Outdated
| @@ -258,3 +258,51 @@ If you want to use the command `curl`, you can follow the commands: | |||
| openssl x509 -inform der -in $JAVA_HOME/localhost.crt -out certificate.pem | |||
| curl -v -X GET --cacert ./certificate.pem -H "Accept: application/vnd.gravitino.v1+json" -H "Content-Type: application/json" https://localhost:8433/api/version | |||
| ``` | |||
|
|
|||
| ## Custom filters | |||
There was a problem hiding this comment.
I prefer to move doc to GravitinoServer Configuration because Custom filters is general and not limited to safety
There was a problem hiding this comment.
I refer to Spark. https://spark.apache.org/docs/latest/security.html
There was a problem hiding this comment.
I would suggest to move this part to server configurations, not here. Since user can configure other filters like redirect, it is not purely a security related feature.
docs/security.md
Outdated
|
|
||
| ```shell | ||
| wget https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-servlets/9.4.51.v20230217/jetty-servlets-9.4.51.v20230217.jar | ||
| cp jetty-servlets-9.4.51.v20230217.jar <gravitno home>/libs |
There was a problem hiding this comment.
gravitno home -> gravitino home
…ty.md` (#1214) ### What changes were proposed in this pull request? Modify the required value for the document `security.md`. I modify some document mistakes by the way. ### Why are the changes needed? According the review #1191 (comment) , modify the required value. If a config option has a default value, this config option is not required. ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? No need. --------- Co-authored-by: Heng Qin <[email protected]>
…ty.md` (#1214) ### What changes were proposed in this pull request? Modify the required value for the document `security.md`. I modify some document mistakes by the way. ### Why are the changes needed? According the review #1191 (comment) , modify the required value. If a config option has a default value, this config option is not required. ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? No need. --------- Co-authored-by: Heng Qin <[email protected]>
…ty.md` (#1223) ### What changes were proposed in this pull request? Modify the required value for the document `security.md`. I modify some document mistakes by the way. ### Why are the changes needed? According the review #1191 (comment) , modify the required value. If a config option has a default value, this config option is not required. ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? No need. Co-authored-by: qqqttt123 <[email protected]> Co-authored-by: Heng Qin <[email protected]>
jerryshao
changed the title
docs/security.md
Outdated
|
|
||
| ```shell | ||
| wget https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-servlets/9.4.51.v20230217/jetty-servlets-9.4.51.v20230217.jar | ||
| cp jetty-servlets-9.4.51.v20230217.jar <gravitino home>/libs |
There was a problem hiding this comment.
Can you please change to <GRAVITINO_HOME>/libs
|
Can you please add some UTs, at least to test the correctness of the configurations? |
|
Also, I think we should support cors filter by our own, rather than letting users to configure it. So you should have a new PR to implement cors filter. |
Jetty have implemented CORS filters: org.eclipse.jetty.servlets.CrossOriginFilter . Why do we reuse it? You can see my test. |
|
You should at least wrap the jetty's implementation and provide gravitino configurations. Cors support is very important for all the web based apps, like Livy, Zeppelin, I don't see them letting users configure a filter to achieve this. a) Users don't know where's the right filter they want, and how to enable this, unless they read the code of that filter. Here jetty for example, how did users configure cors without knowing Jetty? |
Ok, I will prefer wrapping the CORS filter of Jetty. |
Fixed. |
What changes were proposed in this pull request?
Add the support of custom filters referring to the Spark.
Why are the changes needed?
Some filters can be configured by users, the needs of users are different. Some filters are implemented by other libs.
For example, Jetty has implemented the CORS filter, so we supported custom filters to satisfy the needs of users.
Fix: #1190
Does this PR introduce any user-facing change?
Yes, I have added the document.
How was this patch tested?
test by the browser console
I test Jetty's cors filter.
Configuration
Browser console code