User story #2144
closed
Bootstrap REST API to manage deployment, PT lib reloading, etc
Added by François ARMAND almost 13 years ago.
Updated over 12 years ago.
Category:
Web - Maintenance
Description
We need to define a REST API that will allow to manage common service in Rudder (in short, more or less all the one with a batches, plus some other) :
- regenerate dyn groups
- reload PT library
- generate promises (deploy)
- etc
That issue is only to bootstrap the REST API (only /api/status and /api/deploy/reload implemented), other issues track:
- authentication #2204
- individual services:
- dynamic groups reloading: #2205
- technique library reloading: #2206
- archive related things: #2228
- Target version changed from 2.4.0~alpha3 to 2.4.0~alpha4
For now, we have decide to have a fully NON-AUTHENTICATED REST API, and let Apache manage that part.
It will be really great to have at least a configuration option to force user to be authenticated to use the API.
- Status changed from New to In progress
- Assignee set to François ARMAND
- Subject changed from REST API to manage deployment, PT lib reloading, etc to Bootstrap REST API to manage deployment, PT lib reloading, etc
- Description updated (diff)
To sum up:
- the API is available without authentication if configuration property "rudder.rest.allowNonAuthenticatedUser" is true
- the username used as the actor of rest action is:
- the authenticated user if one is available
- else the string given in header X-REST-USERNAME
- else "UnknownRestUser" if none of the above is available.
A simple status REST URL is available at: "/api/status" which send a plaintext answer containing "OK"
Deployment can be trigger with "/api/deploy/start", which sent a plaintext answer containing "OK"
- Status changed from In progress to Pending technical review
- % Done changed from 0 to 100
- Description updated (diff)
- Description updated (diff)
- Description updated (diff)
- Status changed from Pending technical review to 10
I guess this is correct, but I'm a bit puzzled by the fact that if the user is not authnd, then a header in the request is read... isn't there any risk of spoofing header request, or am I missing something ?
There is only two case:
- either authentication is requested for using the REST API, and in such case the authentication means is decorelated from Rudder (more precisely, its managed by Spring Security and can be anything supported by that framework)
- or no authentication is required, and in such case we assume confidence in the client, and just want to be able to log as much information as we can. Part of that information is who/what the client is, what we can't decide based on an authentication token, and so, as we are in a trusted relationship with the client, we ask "please, add in that header relevant information about yourself".
Hope it make things clearer,
- Status changed from 10 to Released
Also available in: Atom
PDF
Updated by 
Updated by Jonathan CLARKE 
Updated by