Implement bucket-level CORS configuration settings with S3 APIs PutBucketCors, etc #20150
Conversation
marktheunissen
force-pushed
the
bucketcors
branch
from
639686c
to
c4bdcc0
Compare
marktheunissen
force-pushed
the
bucketcors
branch
4 times, most recently
from
6054f47
to
8f1cbd6
Compare
marktheunissen
force-pushed
the
bucketcors
branch
4 times, most recently
from
1086feb
to
f49a8e5
Compare
marktheunissen
force-pushed
the
bucketcors
branch
from
f49a8e5
to
846d926
Compare
This is correct implementation. |
|
@harshavardhana I've pushed some commits for review |
|
Lets move this PR to mineos only @marktheunissen https://github.com/miniohq/mineos we are not making this change for public consumption. |
|
@harshavardhana How will we handle the divergence in repos like |
They are clients @marktheunissen and libraries the main functionality stays in EOS. |
They must be run against EOS only. |
marktheunissen
force-pushed
the
bucketcors
branch
from
74f6cb0
to
2620224
Compare
marktheunissen
force-pushed
the
bucketcors
branch
2 times, most recently
from
bdc3ebf
to
12365ec
Compare
…cketCors, GetBucketCors, etc Singleflight on getconfig. FIXMEs for spelling. Fewer allocations for middleware Move docs, fix typos complaining deps fix
marktheunissen
force-pushed
the
bucketcors
branch
from
12365ec
to
5ea9505
Compare
|
Moving to MinEOS |
Description
This PR adds support for the S3 APIs
PutBucketCors,DeleteBucketCors,GetBucketCorsand allows the API to use these bucket-specific CORS configurations while falling back to global config where no bucket-specific configuration is given.Motivation and Context
MinIO has always supported "Global CORS" settings, but has not supported the S3 Bucket Cors APIS:
The global configuration is done with
cors_allow_originor env varMINIO_API_CORS_ALLOW_ORIGIN, and defaults to origins=*. This is the only CORS configuration that is currently supported.S3's API, however, allows a user to put a CORS configuration for a given bucket with a rich configuration language, up to 100 rules may be applied. Docs:
For example:
The goal of this PR is to match the S3 rules engine as closely as possible, with a few small exceptions where S3 does not follow the fetch() spec. CORS is made for browsers and thus it's the fetch() spec that defines how it should behave. These exceptions are documented in the functional tests in
minio-go. Fetch spec is here:Another objective is to allow the global CORS settings to continue functioning, without any action required from users who do not apply bucket CORS.
Implementation
MinIO currently uses https://github.com/rs/cors to handle Global CORS.
The intention in this PR is to provide an adapter which can transform a matched S3 Bucket CORS rule, to an
rs/corsconfiguration. This is slightly less efficient than implementing a seperate CORS engine just for the bucket configurations, however, it simplifies things, as there is only one actual cors engine,rs/cors, not two.The old implementation applies CORS through a handler wrapper, rather than a mux.Middleware. This PR needs to change that, as we now need the bucket name in the CORS handling logic, and the mux router does not provide the
bucketvar name, unless a route matches.This PR introduces
corsHandleras a real Middleware (added toglobalMiddlewares).corsHandleris able to check if a CORS config is applied to a bucket, and if it is, use it instead of the global config.The disadvantage of using mux.Middleware, is that it's slightly less efficient, as mux sets up the Middleware chain every time there is a route match. This is in contrast to the current global CORS handler wrapper, which is only called once when the router is initialized.
One unavoidable change is that currently preflight is evaluated before any auth, so for example, doing
curl -v -XOPTIONS https://play.min.io/minio/kms/v1/status -H "Origin: http://foobar.com/"gives you 200 OK. After this PR, auth will be evaluated first, so it will be access denied. I believe the new code in this PR is a more correct implementation.How to test this PR?
Types of changes
Checklist:
commit-idorPR #here)All related PRs: