[admin-guide] Fix rst mark-ups for cross-project
Change-Id: Ibf7c978a3b59c1b1a76d6b2c0b29a97bf2eaaf67
This commit is contained in:
venkatamahesh
@@ -5,6 +5,7 @@ Cross-origin resource sharing
|
|||||||
=============================
|
=============================
|
||||||
|
|
||||||
.. note::
|
.. note::
|
||||||
|
|
||||||
This is a new feature in OpenStack Liberty.
|
This is a new feature in OpenStack Liberty.
|
||||||
|
|
||||||
OpenStack supports :term:`Cross-Origin Resource Sharing (CORS)`, a W3C
|
OpenStack supports :term:`Cross-Origin Resource Sharing (CORS)`, a W3C
|
||||||
@@ -45,11 +46,11 @@ configuration file, or add it yourself according to the pattern below.
|
|||||||
expose_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Custom-Header
|
expose_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Custom-Header
|
||||||
|
|
||||||
This method also enables you to define multiple origins. To express this in
|
This method also enables you to define multiple origins. To express this in
|
||||||
your configuration file, first begin with a :code:`[cors]` group as above,
|
your configuration file, first begin with a ``[cors]`` group as above,
|
||||||
into which you place your default configuration values. Then, add as many
|
into which you place your default configuration values. Then, add as many
|
||||||
additional configuration groups as necessary, naming them
|
additional configuration groups as necessary, naming them
|
||||||
:code:`[cors.{something}]` (each name must be unique). The purpose of the
|
``[cors.{something}]`` (each name must be unique). The purpose of the
|
||||||
suffix to :code:`cors.` is legibility, we recommend using a reasonable
|
suffix to ``cors.`` is legibility, we recommend using a reasonable
|
||||||
human-readable string:
|
human-readable string:
|
||||||
|
|
||||||
.. code-block:: ini
|
.. code-block:: ini
|
||||||
@@ -74,10 +75,10 @@ Enabling CORS with PasteDeploy
|
|||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
In other services, CORS is configured via PasteDeploy. In this case,
|
In other services, CORS is configured via PasteDeploy. In this case,
|
||||||
you must first make sure that OpenStack's :code:`oslo_middleware` package
|
you must first make sure that OpenStack's ``oslo_middleware`` package
|
||||||
(version 2.4.0 or later) is available in the Python environment that is
|
(version 2.4.0 or later) is available in the Python environment that is
|
||||||
running the service. Then, add the following configuration block to your
|
running the service. Then, add the following configuration block to your
|
||||||
:file:`paste.ini` file.
|
``paste.ini`` file.
|
||||||
|
|
||||||
.. code-block:: ini
|
.. code-block:: ini
|
||||||
|
|
||||||
@@ -89,24 +90,29 @@ running the service. Then, add the following configuration block to your
|
|||||||
allow_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Custom-Header
|
allow_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Custom-Header
|
||||||
expose_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Custom-Header
|
expose_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Custom-Header
|
||||||
|
|
||||||
.. note:: To add another domain, simply add another filter.
|
.. note::
|
||||||
|
|
||||||
|
To add another domain, simply add another filter.
|
||||||
|
|
||||||
Security concerns
|
Security concerns
|
||||||
~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
CORS specifies a wildcard character `*`, which permits access to all user
|
CORS specifies a wildcard character ``*``, which permits access to all user
|
||||||
agents, regardless of domain, protocol, or host. While there are valid use
|
agents, regardless of domain, protocol, or host. While there are valid use
|
||||||
cases for this approach, it also permits a malicious actor to create a
|
cases for this approach, it also permits a malicious actor to create a
|
||||||
convincing facsimile of a user interface, and trick users into revealing
|
convincing facsimile of a user interface, and trick users into revealing
|
||||||
authentication credentials. Please carefully evaluate your use case and the
|
authentication credentials. Please carefully evaluate your use case and the
|
||||||
relevant documentation for any risk to your organization.
|
relevant documentation for any risk to your organization.
|
||||||
|
|
||||||
.. note:: The CORS specification does not support using this wildcard as
|
.. note::
|
||||||
a part of a URI. Setting allowed-origin to `*` would work, while
|
|
||||||
:code:`*.openstack.org` would not.
|
The CORS specification does not support using this wildcard as
|
||||||
|
a part of a URI. Setting ``allowed_origin`` to ``*`` would work, while
|
||||||
|
``*.openstack.org`` would not.
|
||||||
|
|
||||||
Troubleshooting
|
Troubleshooting
|
||||||
~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
CORS is very easy to get wrong, as even one incorrect property will violate
|
CORS is very easy to get wrong, as even one incorrect property will violate
|
||||||
the prescribed contract. Here are some steps you can take to troubleshoot
|
the prescribed contract. Here are some steps you can take to troubleshoot
|
||||||
your configuration.
|
your configuration.
|
||||||
@@ -118,8 +124,8 @@ The CORS middleware used by OpenStack provides verbose debug logging that
|
|||||||
should reveal most configuration problems. Here are some example log
|
should reveal most configuration problems. Here are some example log
|
||||||
messages, and how to resolve them.
|
messages, and how to resolve them.
|
||||||
|
|
||||||
``CORS request from origin 'http://foo.com' not permitted.``
|
``CORS request from origin 'http://example.com' not permitted.``
|
||||||
A request was received from the origin 'http://foo.com', however this
|
A request was received from the origin ``http://example.com``, however this
|
||||||
origin was not found in the permitted list. The cause may be a superfluous
|
origin was not found in the permitted list. The cause may be a superfluous
|
||||||
port notation (ports 80 and 443 do not need to be specified). To correct,
|
port notation (ports 80 and 443 do not need to be specified). To correct,
|
||||||
ensure that the configuration property for this host is identical to the
|
ensure that the configuration property for this host is identical to the
|
||||||
@@ -128,11 +134,11 @@ messages, and how to resolve them.
|
|||||||
``Request method 'DELETE' not in permitted list: GET,PUT,POST``
|
``Request method 'DELETE' not in permitted list: GET,PUT,POST``
|
||||||
A user agent has requested permission to perform a DELETE request, however
|
A user agent has requested permission to perform a DELETE request, however
|
||||||
the CORS configuration for the domain does not permit this. To correct, add
|
the CORS configuration for the domain does not permit this. To correct, add
|
||||||
this method to the :code:`allow_methods` configuration property.
|
this method to the ``allow_methods`` configuration property.
|
||||||
|
|
||||||
``Request header 'X-Custom-Header' not in permitted list: X-Other-Header``
|
``Request header 'X-Custom-Header' not in permitted list: X-Other-Header``
|
||||||
A request was received with the header 'X-Custom-Header', which is not
|
A request was received with the header ``X-Custom-Header``, which is not
|
||||||
permitted. Add this header to the :code:`allow_headers` configuration
|
permitted. Add this header to the ``allow_headers`` configuration
|
||||||
property.
|
property.
|
||||||
|
|
||||||
Open your browser's console log
|
Open your browser's console log
|
||||||
@@ -145,24 +151,29 @@ to access.
|
|||||||
|
|
||||||
Manually construct a CORS request
|
Manually construct a CORS request
|
||||||
---------------------------------
|
---------------------------------
|
||||||
|
|
||||||
By using ``curl`` or a similar tool, you can trigger a CORS response with a
|
By using ``curl`` or a similar tool, you can trigger a CORS response with a
|
||||||
properly constructed HTTP request. An example request and response might look
|
properly constructed HTTP request. An example request and response might look
|
||||||
like this.
|
like this.
|
||||||
|
|
||||||
Request::
|
Request example:
|
||||||
|
|
||||||
$ curl -I -X OPTIONS https://api.example.com/api -H "Origin: https://ui.example.com"
|
.. code-block:: console
|
||||||
|
|
||||||
Response::
|
$ curl -I -X OPTIONS https://api.example.com/api -H "Origin: https://ui.example.com"
|
||||||
|
|
||||||
HTTP/1.1 204 No Content
|
Response example:
|
||||||
Content-Length: 0
|
|
||||||
Access-Control-Allow-Origin: https://ui.example.com
|
.. code-block:: console
|
||||||
Access-Control-Allow-Methods: GET,POST,PUT,DELETE
|
|
||||||
Access-Control-Expose-Headers: origin,authorization,accept,x-total,x-limit,x-marker,x-client,content-type
|
HTTP/1.1 204 No Content
|
||||||
Access-Control-Allow-Headers: origin,authorization,accept,x-total,x-limit,x-marker,x-client,content-type
|
Content-Length: 0
|
||||||
Access-Control-Max-Age: 3600
|
Access-Control-Allow-Origin: https://ui.example.com
|
||||||
|
Access-Control-Allow-Methods: GET,POST,PUT,DELETE
|
||||||
|
Access-Control-Expose-Headers: origin,authorization,accept,x-total,x-limit,x-marker,x-client,content-type
|
||||||
|
Access-Control-Allow-Headers: origin,authorization,accept,x-total,x-limit,x-marker,x-client,content-type
|
||||||
|
Access-Control-Max-Age: 3600
|
||||||
|
|
||||||
If the service does not return any access control headers, check the service
|
If the service does not return any access control headers, check the service
|
||||||
log, such as :code:`/var/log/upstart/ironic-api.log` for an indication on what
|
log, such as ``/var/log/upstart/ironic-api.log`` for an indication on what
|
||||||
went wrong.
|
went wrong.
|
||||||
|
|||||||
Reference in New Issue
Block a user