Uploaded image for project: 'DC/OS'
  1. DC/OS
  2. DCOS_OSS-1491

Admin Router: /service endpoint request buffering was disabled w/o strong technical reason

    Details

    • Type: Task
    • Status: Resolved
    • Priority: High
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: DC/OS 1.10.0
    • Component/s: adminrouter
    • Labels:
      None
    • Sprint:
      Security Team Sprint 10
    • Story Points:
      3

      Description

      This discussion started with https://github.com/dcos/dcos/pull/1768#discussion_r130594810

      In general, I think we should decide how we want to deal with `/service` endpoint and its successors. It is a bit special because it routes to user applications which can use a variety of configurations and protocols. We can either:

      • make it as transparent as possible in order to not to limit user's freedom
      • make it strict by default, and only enable features when needed.

      I have disabled request buffering in commit https://github.com/dcos/dcos/commit/a6775b188cfa3f6a4259761e2c6d1e9308e4b92f#diff-975ac4518ac1633712a3378262ce59d0R261 hoping to enable SSE events behaviour for users just like we do i.e. for DC/OS task console redirection (Kevin's tools). On the other hand Jan-Philip Gehrcke rightfully pointed out that request buffering may shield the cluster from misbehaving clients.

      The service endpoint has already WebSockets behaviour enabled, but according to https://stackoverflow.com/a/5326159 they are not 100% interchangeable.

      No matter what we decide upon, I think we should act quickly as this change has not been released yet and there are no customers that rely on it.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                prozlach Pawel Rozlach
                Reporter:
                prozlach Pawel Rozlach
                Team:
                DELETE Security Team
                Watchers:
                Artem Harutyunyan (Inactive), Gustav Paul (Inactive), Jan-Philip Gehrcke (Inactive), Pawel Rozlach
              • Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support

                    NextupJiraPlusStatus

                    Error rendering 'slack.nextup.jira:nextup-jira-plus-status'. Please contact your JIRA administrators.