)]}'
{"specs/cors-support.rst":[{"author":{"_account_id":6968,"name":"Christian Schwede","email":"cschwede@redhat.com","username":"cschwede"},"change_message_id":"a96955996eaade42c96e8cc6075a79af33c9a5c7","unresolved":false,"context_lines":[{"line_number":87,"context_line":"- Update Global Requirements to use oslo_middleware version 1.2.0"},{"line_number":88,"context_line":"- Add `CORS Middleware`_ to OpenStack API\u0027s"},{"line_number":89,"context_line":"    - Nova"},{"line_number":90,"context_line":"    - Swift"},{"line_number":91,"context_line":"    - Glance"},{"line_number":92,"context_line":"    - Neutron"},{"line_number":93,"context_line":"    - Cinder"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3acd31a7_c2d2015c","line":90,"updated":"2015-05-05 15:42:51.000000000","message":"Swift already has a CORS implementation, though not as a middleware. Does this imply Swift has to refactor the existing implementation to use the oslo middleware?","commit_id":"73a55eb8e0131396a15fd7ca92d5337dc94c6193"},{"author":{"_account_id":9717,"name":"Michael Krotscheck","email":"krotscheck@gmail.com","username":"krotscheck"},"change_message_id":"d2f58b83ff8e35b09aca72e87222f7823e893cf9","unresolved":false,"context_lines":[{"line_number":87,"context_line":"- Update Global Requirements to use oslo_middleware version 1.2.0"},{"line_number":88,"context_line":"- Add `CORS Middleware`_ to OpenStack API\u0027s"},{"line_number":89,"context_line":"    - Nova"},{"line_number":90,"context_line":"    - Swift"},{"line_number":91,"context_line":"    - Glance"},{"line_number":92,"context_line":"    - Neutron"},{"line_number":93,"context_line":"    - Cinder"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3acd31a7_427f1115","line":90,"in_reply_to":"3acd31a7_c2d2015c","updated":"2015-05-05 15:51:36.000000000","message":"Hrm, I wasn\u0027t aware of that (or I probably was, I may have just blocked it out). I\u0027ll add a section that calls swift out specifically, so that we can have that discussion with the PTL/Cores and decide on the best way to move forward.","commit_id":"73a55eb8e0131396a15fd7ca92d5337dc94c6193"},{"author":{"_account_id":6968,"name":"Christian Schwede","email":"cschwede@redhat.com","username":"cschwede"},"change_message_id":"a96955996eaade42c96e8cc6075a79af33c9a5c7","unresolved":false,"context_lines":[{"line_number":92,"context_line":"    - Neutron"},{"line_number":93,"context_line":"    - Cinder"},{"line_number":94,"context_line":"    - Keystone"},{"line_number":95,"context_line":"    - Celiometer"},{"line_number":96,"context_line":"    - Heat"},{"line_number":97,"context_line":"    - Trove"},{"line_number":98,"context_line":"    - Sahara"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3acd31a7_82c889a9","line":95,"updated":"2015-05-05 15:42:51.000000000","message":"nit: typo - Ceilometer","commit_id":"73a55eb8e0131396a15fd7ca92d5337dc94c6193"},{"author":{"_account_id":9717,"name":"Michael Krotscheck","email":"krotscheck@gmail.com","username":"krotscheck"},"change_message_id":"d2f58b83ff8e35b09aca72e87222f7823e893cf9","unresolved":false,"context_lines":[{"line_number":92,"context_line":"    - Neutron"},{"line_number":93,"context_line":"    - Cinder"},{"line_number":94,"context_line":"    - Keystone"},{"line_number":95,"context_line":"    - Celiometer"},{"line_number":96,"context_line":"    - Heat"},{"line_number":97,"context_line":"    - Trove"},{"line_number":98,"context_line":"    - Sahara"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3acd31a7_02ac798a","line":95,"in_reply_to":"3acd31a7_82c889a9","updated":"2015-05-05 15:51:36.000000000","message":"Thanks! I\u0027ll update this as soon as the next revision goes up.","commit_id":"73a55eb8e0131396a15fd7ca92d5337dc94c6193"},{"author":{"_account_id":964,"name":"Anne Gentle","email":"annegentle@justwriteclick.com","username":"annegentle"},"change_message_id":"c5e7f98f6536514de27591520d3d572666c497c9","unresolved":false,"context_lines":[{"line_number":96,"context_line":"    - Heat"},{"line_number":97,"context_line":"    - Trove"},{"line_number":98,"context_line":"    - Sahara"},{"line_number":99,"context_line":"    - Ironic"},{"line_number":100,"context_line":"- Write documentation for CORS configuration, security concerns, et al."},{"line_number":101,"context_line":""},{"line_number":102,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"3acd31a7_dd60aaa7","line":99,"updated":"2015-05-05 12:51:36.000000000","message":"How was this list selected?","commit_id":"73a55eb8e0131396a15fd7ca92d5337dc94c6193"},{"author":{"_account_id":9717,"name":"Michael Krotscheck","email":"krotscheck@gmail.com","username":"krotscheck"},"change_message_id":"83a9e78900edd53c59666d2e92bd7be55194d549","unresolved":false,"context_lines":[{"line_number":96,"context_line":"    - Heat"},{"line_number":97,"context_line":"    - Trove"},{"line_number":98,"context_line":"    - Sahara"},{"line_number":99,"context_line":"    - Ironic"},{"line_number":100,"context_line":"- Write documentation for CORS configuration, security concerns, et al."},{"line_number":101,"context_line":""},{"line_number":102,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"3acd31a7_a7cef72b","line":99,"in_reply_to":"3acd31a7_dd60aaa7","updated":"2015-05-05 15:32:55.000000000","message":"I pulled this list from ttx\u0027s Kilo release email. http://lists.openstack.org/pipermail/openstack/2015-April/012473.html","commit_id":"73a55eb8e0131396a15fd7ca92d5337dc94c6193"},{"author":{"_account_id":964,"name":"Anne Gentle","email":"annegentle@justwriteclick.com","username":"annegentle"},"change_message_id":"c5e7f98f6536514de27591520d3d572666c497c9","unresolved":false,"context_lines":[{"line_number":97,"context_line":"    - Trove"},{"line_number":98,"context_line":"    - Sahara"},{"line_number":99,"context_line":"    - Ironic"},{"line_number":100,"context_line":"- Write documentation for CORS configuration, security concerns, et al."},{"line_number":101,"context_line":""},{"line_number":102,"context_line":""},{"line_number":103,"context_line":"Dependencies"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3acd31a7_5d4eda3b","line":100,"updated":"2015-05-05 12:51:36.000000000","message":"Could you be more specific where that documentation will live? Perhaps talk to the Security Guide authors about a section there? Definitely should be in the Cloud Admin Guide.","commit_id":"73a55eb8e0131396a15fd7ca92d5337dc94c6193"},{"author":{"_account_id":9717,"name":"Michael Krotscheck","email":"krotscheck@gmail.com","username":"krotscheck"},"change_message_id":"83a9e78900edd53c59666d2e92bd7be55194d549","unresolved":false,"context_lines":[{"line_number":97,"context_line":"    - Trove"},{"line_number":98,"context_line":"    - Sahara"},{"line_number":99,"context_line":"    - Ironic"},{"line_number":100,"context_line":"- Write documentation for CORS configuration, security concerns, et al."},{"line_number":101,"context_line":""},{"line_number":102,"context_line":""},{"line_number":103,"context_line":"Dependencies"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3acd31a7_47de03de","line":100,"in_reply_to":"3acd31a7_5d4eda3b","updated":"2015-05-05 15:32:55.000000000","message":"Sure, I\u0027ll start a thread on the dev list.","commit_id":"73a55eb8e0131396a15fd7ca92d5337dc94c6193"},{"author":{"_account_id":6486,"name":"Brant Knudson","email":"blk@acm.org","username":"blk-u"},"change_message_id":"27ad4d177889294c9ffdf24dad7f1552756d82ae","unresolved":false,"context_lines":[{"line_number":36,"context_line":"This specification does *not* presume to require an additional configuration"},{"line_number":37,"context_line":"step for operators for a \u0027default\u0027 install of OpenStack and its user"},{"line_number":38,"context_line":"interface. Horizon currently maintains, and shall continue to maintain, its"},{"line_number":39,"context_line":"own installation requirements."},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"This specification does *not* presume to set front-end application design"},{"line_number":42,"context_line":"standards- rather it exists to expand the options that front-end teams have,"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9af37de9_ded4a948","line":39,"updated":"2015-05-10 13:40:45.000000000","message":"Can we recommend that Horizon remove this? Seems like this CORS change could improve security a bit by removing some code.","commit_id":"427ccc8d1c8ac1e5182d6e6fa4b3f6fc85cb7380"},{"author":{"_account_id":9717,"name":"Michael Krotscheck","email":"krotscheck@gmail.com","username":"krotscheck"},"change_message_id":"feb3ab0cbc0546bca5ab89957cb47118478ce7ce","unresolved":false,"context_lines":[{"line_number":36,"context_line":"This specification does *not* presume to require an additional configuration"},{"line_number":37,"context_line":"step for operators for a \u0027default\u0027 install of OpenStack and its user"},{"line_number":38,"context_line":"interface. Horizon currently maintains, and shall continue to maintain, its"},{"line_number":39,"context_line":"own installation requirements."},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"This specification does *not* presume to set front-end application design"},{"line_number":42,"context_line":"standards- rather it exists to expand the options that front-end teams have,"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9af37de9_7b3eeab9","line":39,"in_reply_to":"9af37de9_ded4a948","updated":"2015-05-10 23:28:49.000000000","message":"I\u0027ve had extensive conversations with David Lyle on this- and while yes, Horizon is definitely moving in this direction, it needs to arrive here on its own schedule. I worded it this way because this version would give Horizon the freedom to get here under its own power.","commit_id":"427ccc8d1c8ac1e5182d6e6fa4b3f6fc85cb7380"},{"author":{"_account_id":6486,"name":"Brant Knudson","email":"blk@acm.org","username":"blk-u"},"change_message_id":"27ad4d177889294c9ffdf24dad7f1552756d82ae","unresolved":false,"context_lines":[{"line_number":52,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"All OpenStack API\u0027s should implement a common middleware that implements CORS"},{"line_number":55,"context_line":"in a reusable, optional fashion. This middleware should be well documented,"},{"line_number":56,"context_line":"with security concerns highlighted, in order to properly educate the operator"},{"line_number":57,"context_line":"community on their choices."},{"line_number":58,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"9af37de9_5ec1d97f","line":55,"updated":"2015-05-10 13:40:45.000000000","message":"change \"should\" to \"must\"","commit_id":"427ccc8d1c8ac1e5182d6e6fa4b3f6fc85cb7380"},{"author":{"_account_id":9717,"name":"Michael Krotscheck","email":"krotscheck@gmail.com","username":"krotscheck"},"change_message_id":"feb3ab0cbc0546bca5ab89957cb47118478ce7ce","unresolved":false,"context_lines":[{"line_number":52,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"All OpenStack API\u0027s should implement a common middleware that implements CORS"},{"line_number":55,"context_line":"in a reusable, optional fashion. This middleware should be well documented,"},{"line_number":56,"context_line":"with security concerns highlighted, in order to properly educate the operator"},{"line_number":57,"context_line":"community on their choices."},{"line_number":58,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"9af37de9_fb789a91","line":55,"in_reply_to":"9af37de9_5ec1d97f","updated":"2015-05-10 23:28:49.000000000","message":"Makes sense. Done.","commit_id":"427ccc8d1c8ac1e5182d6e6fa4b3f6fc85cb7380"},{"author":{"_account_id":6486,"name":"Brant Knudson","email":"blk@acm.org","username":"blk-u"},"change_message_id":"27ad4d177889294c9ffdf24dad7f1552756d82ae","unresolved":false,"context_lines":[{"line_number":58,"context_line":""},{"line_number":59,"context_line":"`CORS Middleware`_ is available in oslo_middleware version 0.3.0. Additional"},{"line_number":60,"context_line":"work would be required to add this middleware to the appropriate services,"},{"line_number":61,"context_line":"and to add the necessary documentation to the docs repository."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"Note that improperly implemented CORS_ support is a security concern, and"},{"line_number":64,"context_line":"this should be highlighted in the documentation."}],"source_content_type":"text/x-rst","patch_set":3,"id":"9af37de9_1ebb5110","line":61,"updated":"2015-05-10 13:40:45.000000000","message":"what about testing?","commit_id":"427ccc8d1c8ac1e5182d6e6fa4b3f6fc85cb7380"},{"author":{"_account_id":9717,"name":"Michael Krotscheck","email":"krotscheck@gmail.com","username":"krotscheck"},"change_message_id":"feb3ab0cbc0546bca5ab89957cb47118478ce7ce","unresolved":false,"context_lines":[{"line_number":58,"context_line":""},{"line_number":59,"context_line":"`CORS Middleware`_ is available in oslo_middleware version 0.3.0. Additional"},{"line_number":60,"context_line":"work would be required to add this middleware to the appropriate services,"},{"line_number":61,"context_line":"and to add the necessary documentation to the docs repository."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"Note that improperly implemented CORS_ support is a security concern, and"},{"line_number":64,"context_line":"this should be highlighted in the documentation."}],"source_content_type":"text/x-rst","patch_set":3,"id":"9af37de9_9b686ebc","line":61,"in_reply_to":"9af37de9_1ebb5110","updated":"2015-05-10 23:28:49.000000000","message":"There\u0027s a comprehensive suite of tests already built into the oslo.middleware library to cover this feature, which I invite you to review. While it may be feasible to import those tests as a plugin test module and run them specifically against individual services, this feels like overkill to me (especially since any problem in the middleware should be fixed for all of its installs).","commit_id":"427ccc8d1c8ac1e5182d6e6fa4b3f6fc85cb7380"},{"author":{"_account_id":6486,"name":"Brant Knudson","email":"blk@acm.org","username":"blk-u"},"change_message_id":"27ad4d177889294c9ffdf24dad7f1552756d82ae","unresolved":false,"context_lines":[{"line_number":66,"context_line":"Alternatives"},{"line_number":67,"context_line":"------------"},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"One alternative is to provide a stripped down proxy, much like horizon\u0027s"},{"line_number":70,"context_line":"implementation, as an starter project template. It would require additional"},{"line_number":71,"context_line":"documentation that teaches UI development teams on how to implement and build"},{"line_number":72,"context_line":"on it. This mostly already exists inside of horizon, and could be repurposed."}],"source_content_type":"text/x-rst","patch_set":3,"id":"9af37de9_be40c508","line":69,"updated":"2015-05-10 13:40:45.000000000","message":"Apache Httpd can be configured to reverse-proxy easily enough.","commit_id":"427ccc8d1c8ac1e5182d6e6fa4b3f6fc85cb7380"},{"author":{"_account_id":9717,"name":"Michael Krotscheck","email":"krotscheck@gmail.com","username":"krotscheck"},"change_message_id":"feb3ab0cbc0546bca5ab89957cb47118478ce7ce","unresolved":false,"context_lines":[{"line_number":66,"context_line":"Alternatives"},{"line_number":67,"context_line":"------------"},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"One alternative is to provide a stripped down proxy, much like horizon\u0027s"},{"line_number":70,"context_line":"implementation, as an starter project template. It would require additional"},{"line_number":71,"context_line":"documentation that teaches UI development teams on how to implement and build"},{"line_number":72,"context_line":"on it. This mostly already exists inside of horizon, and could be repurposed."}],"source_content_type":"text/x-rst","patch_set":3,"id":"9af37de9_1b9b5ecb","line":69,"in_reply_to":"9af37de9_be40c508","updated":"2015-05-10 23:28:49.000000000","message":"Good alternative. Added.","commit_id":"427ccc8d1c8ac1e5182d6e6fa4b3f6fc85cb7380"},{"author":{"_account_id":6486,"name":"Brant Knudson","email":"blk@acm.org","username":"blk-u"},"change_message_id":"27ad4d177889294c9ffdf24dad7f1552756d82ae","unresolved":false,"context_lines":[{"line_number":85,"context_line":"----------"},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"- Update Global Requirements to use oslo_middleware version 1.2.0 (complete)"},{"line_number":88,"context_line":"- Propose `CORS Middleware`_ to OpenStack API\u0027s that do not already support it."},{"line_number":89,"context_line":"  This includes, but is not restricted to: Nova, Glance, Neutron, Cinder,"},{"line_number":90,"context_line":"  Keystone, Ceilometer, Heat, Trove, Sahara, and Ironic."},{"line_number":91,"context_line":"- Propose refactor to use `CORS Middleware`_ to OpenStack API\u0027s that already"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9af37de9_7e4b7d2c","line":88,"updated":"2015-05-10 13:40:45.000000000","message":"Can\u0027t you put CORS middleware in keystone paste.ini already?","commit_id":"427ccc8d1c8ac1e5182d6e6fa4b3f6fc85cb7380"},{"author":{"_account_id":9717,"name":"Michael Krotscheck","email":"krotscheck@gmail.com","username":"krotscheck"},"change_message_id":"feb3ab0cbc0546bca5ab89957cb47118478ce7ce","unresolved":false,"context_lines":[{"line_number":85,"context_line":"----------"},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"- Update Global Requirements to use oslo_middleware version 1.2.0 (complete)"},{"line_number":88,"context_line":"- Propose `CORS Middleware`_ to OpenStack API\u0027s that do not already support it."},{"line_number":89,"context_line":"  This includes, but is not restricted to: Nova, Glance, Neutron, Cinder,"},{"line_number":90,"context_line":"  Keystone, Ceilometer, Heat, Trove, Sahara, and Ironic."},{"line_number":91,"context_line":"- Propose refactor to use `CORS Middleware`_ to OpenStack API\u0027s that already"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9af37de9_fb865a64","line":88,"in_reply_to":"9af37de9_7e4b7d2c","updated":"2015-05-10 23:28:49.000000000","message":"The specifics of how this middleware is added will vary by project, and yes- it may be feasible to just add it to keystone using paste.ini. With that in mind, the discussion of how this feature is added to keystone - whether it\u0027s directly added or optional via paste.ini (which requires different documentation) - cannot start until this particular spec is approved.\n\nPersonally, I strongly believe in \"do it the same way everywhere\" as far as inclusion and configuration goes. Also, I\u0027m not certain whether the current CORS middleware, which depends on being provided an explicit oslo_config instance, will work without additional changes.","commit_id":"427ccc8d1c8ac1e5182d6e6fa4b3f6fc85cb7380"},{"author":{"_account_id":6486,"name":"Brant Knudson","email":"blk@acm.org","username":"blk-u"},"change_message_id":"27ad4d177889294c9ffdf24dad7f1552756d82ae","unresolved":false,"context_lines":[{"line_number":92,"context_line":"  support it via other means. This includes, but is not restricted to: Swift."},{"line_number":93,"context_line":"- Write documentation for CORS configuration."},{"line_number":94,"context_line":"  - The authoritative content will live in the Cloud Admin Guide."},{"line_number":95,"context_line":"  - The Security Guide will contain a comment and link to the Cloud Admin Guide."},{"line_number":96,"context_line":""},{"line_number":97,"context_line":"Dependencies"},{"line_number":98,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9af37de9_1e5231de","line":95,"updated":"2015-05-10 13:40:45.000000000","message":"There\u0027s also installation guides.","commit_id":"427ccc8d1c8ac1e5182d6e6fa4b3f6fc85cb7380"},{"author":{"_account_id":9717,"name":"Michael Krotscheck","email":"krotscheck@gmail.com","username":"krotscheck"},"change_message_id":"feb3ab0cbc0546bca5ab89957cb47118478ce7ce","unresolved":false,"context_lines":[{"line_number":92,"context_line":"  support it via other means. This includes, but is not restricted to: Swift."},{"line_number":93,"context_line":"- Write documentation for CORS configuration."},{"line_number":94,"context_line":"  - The authoritative content will live in the Cloud Admin Guide."},{"line_number":95,"context_line":"  - The Security Guide will contain a comment and link to the Cloud Admin Guide."},{"line_number":96,"context_line":""},{"line_number":97,"context_line":"Dependencies"},{"line_number":98,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9af37de9_9bdd0e73","line":95,"in_reply_to":"9af37de9_1e5231de","updated":"2015-05-10 23:28:49.000000000","message":"I will check with Anne Gentle, however the scope of the install guides seem to me to be more \"Get things running\" and less \"Here are all the crazy configuration things you can do\". Once horizon depends on CORS, then it would make sense to add this to the install guides, however until then I feel it should remain in the administration guide and the comprehensive configuration reference.","commit_id":"427ccc8d1c8ac1e5182d6e6fa4b3f6fc85cb7380"},{"author":{"_account_id":964,"name":"Anne Gentle","email":"annegentle@justwriteclick.com","username":"annegentle"},"change_message_id":"91eba31d1ff85f5b100cbe4c533853214bd9612b","unresolved":false,"context_lines":[{"line_number":92,"context_line":"  support it via other means. This includes, but is not restricted to: Swift."},{"line_number":93,"context_line":"- Write documentation for CORS configuration."},{"line_number":94,"context_line":"  - The authoritative content will live in the Cloud Admin Guide."},{"line_number":95,"context_line":"  - The Security Guide will contain a comment and link to the Cloud Admin Guide."},{"line_number":96,"context_line":""},{"line_number":97,"context_line":"Dependencies"},{"line_number":98,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":3,"id":"7a016987_20d5afb8","line":95,"in_reply_to":"9af37de9_9bdd0e73","updated":"2015-05-26 21:22:59.000000000","message":"Agreed, the Install Guides are meant to be reference installs for a \"happy path\" that gets you to launching a VM or storing an object, nothing more or less.","commit_id":"427ccc8d1c8ac1e5182d6e6fa4b3f6fc85cb7380"},{"author":{"_account_id":13997,"name":"SHIGEMATSU Mitsuhiro","email":"shigematsu.mitsuhiro@lab.ntt.co.jp","username":"pshige"},"change_message_id":"3f4cc6f6bf39c59ad22611d7297cad8e586bfa12","unresolved":false,"context_lines":[{"line_number":70,"context_line":"a well configured Apache mod_proxy. It would require additional documentation"},{"line_number":71,"context_line":"that teaches UI development teams on how to implement and build on it. These"},{"line_number":72,"context_line":"options are already available and well documented, however they do not truly"},{"line_number":73,"context_line":"address the problem of servies such as Ironic, which represents its resource"},{"line_number":74,"context_line":"links in a strictly RESTful fashion. In that case, the proxy would have to read"},{"line_number":75,"context_line":"every request and response, and replace all link references to Ironic with"},{"line_number":76,"context_line":"references to itself."}],"source_content_type":"text/x-rst","patch_set":4,"id":"7a016987_11456f16","line":73,"updated":"2015-05-26 18:51:09.000000000","message":"s/servies/services/","commit_id":"f7a34842b210f8ca91f7c527fbdb2c2ec27d0981"},{"author":{"_account_id":6804,"name":"bruce-benjamin","email":"bruce.benjamin@jhuapl.edu","username":"bruce-benjamin"},"change_message_id":"ba43621eb191249fd94914a65ac94861e6590f92","unresolved":false,"context_lines":[{"line_number":2,"context_line":"CORS Support"},{"line_number":3,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":4,"context_line":""},{"line_number":5,"context_line":"The W3C has released a Technical Recommendation (TR) via which an API may"},{"line_number":6,"context_line":"permit a user agent - usually a web browser - to selectively break the"},{"line_number":7,"context_line":"`same-origin policy`_. This permits javascript running in the user agent to"},{"line_number":8,"context_line":"access the API from domains, protocols, and ports that do not match the API"}],"source_content_type":"text/x-rst","patch_set":5,"id":"7a016987_d165681d","line":5,"updated":"2015-05-27 19:17:13.000000000","message":"s/via/by/","commit_id":"c1db8b54146f9c79caebecdd2147beb3481390c8"},{"author":{"_account_id":4190,"name":"lifeless","email":"robertc@robertcollins.net","username":"lifeless"},"change_message_id":"cae88941eba7797f834aa025263f9b7cc482b859","unresolved":false,"context_lines":[{"line_number":2,"context_line":"CORS Support"},{"line_number":3,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":4,"context_line":""},{"line_number":5,"context_line":"The W3C has released a Technical Recommendation (TR) via which an API may"},{"line_number":6,"context_line":"permit a user agent - usually a web browser - to selectively break the"},{"line_number":7,"context_line":"`same-origin policy`_. This permits javascript running in the user agent to"},{"line_number":8,"context_line":"access the API from domains, protocols, and ports that do not match the API"}],"source_content_type":"text/x-rst","patch_set":5,"id":"5afe65bd_b3d11afe","line":5,"in_reply_to":"7a016987_d165681d","updated":"2015-06-01 23:09:22.000000000","message":"meh, via is fine IMO. Lets worry about deeper things in the review?","commit_id":"c1db8b54146f9c79caebecdd2147beb3481390c8"},{"author":{"_account_id":4190,"name":"lifeless","email":"robertc@robertcollins.net","username":"lifeless"},"change_message_id":"cae88941eba7797f834aa025263f9b7cc482b859","unresolved":false,"context_lines":[{"line_number":46,"context_line":"downstream, can choose to implement additional user interfaces of their own. An"},{"line_number":47,"context_line":"example use case may be Ironic, which may wish to ship an interface that can"},{"line_number":48,"context_line":"live independently of horizon, for such users who do not want to install"},{"line_number":49,"context_line":"additional components."},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"Proposed change"},{"line_number":52,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"5afe65bd_73772203","line":49,"updated":"2015-06-01 23:09:22.000000000","message":"Another option that exists, and which I think we should also be pursuing, is encouraging the configuration of APIs into a single namespace e.g. via apache. This limits the number of SSL certs deployers need, and the ports they need open without any prejuidice on the internal arrangement of services that we develop. Perhaps thats worth mentioning here as a by-the-by,or even in \u0027alternatives\u0027? Perhaps not? If listed in alternatives, I would counter it by saying that CORS can permit external UIs to be written that are wholly independent of a deployment, and that this is a good thing.","commit_id":"c1db8b54146f9c79caebecdd2147beb3481390c8"},{"author":{"_account_id":9717,"name":"Michael Krotscheck","email":"krotscheck@gmail.com","username":"krotscheck"},"change_message_id":"c74c11bea0ed1ecfffb44b5863f0f8509f604382","unresolved":false,"context_lines":[{"line_number":46,"context_line":"downstream, can choose to implement additional user interfaces of their own. An"},{"line_number":47,"context_line":"example use case may be Ironic, which may wish to ship an interface that can"},{"line_number":48,"context_line":"live independently of horizon, for such users who do not want to install"},{"line_number":49,"context_line":"additional components."},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"Proposed change"},{"line_number":52,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"5afe65bd_b44af781","line":49,"in_reply_to":"5afe65bd_73772203","updated":"2015-06-02 20:50:20.000000000","message":"So, I agree with you on the \"All API\u0027s on the same host\" piece, however I\u0027d like to keep this particular spec focused on the benefits which CORS alone provides. Your comment, though, makes me think that the specification does not clearly indicate the benefit that separation of UI vs. API concerns provides. Do you think it warrants a new revision?","commit_id":"c1db8b54146f9c79caebecdd2147beb3481390c8"},{"author":{"_account_id":4190,"name":"lifeless","email":"robertc@robertcollins.net","username":"lifeless"},"change_message_id":"a0abbf1cce39e278efaaaeb8f05ea4ced01d29e4","unresolved":false,"context_lines":[{"line_number":46,"context_line":"downstream, can choose to implement additional user interfaces of their own. An"},{"line_number":47,"context_line":"example use case may be Ironic, which may wish to ship an interface that can"},{"line_number":48,"context_line":"live independently of horizon, for such users who do not want to install"},{"line_number":49,"context_line":"additional components."},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"Proposed change"},{"line_number":52,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"5afe65bd_2db7d5d9","line":49,"in_reply_to":"5afe65bd_b44af781","updated":"2015-06-02 21:46:59.000000000","message":"I think with the concerns I have in the alternatives section addressed, that this prose up the is fine.","commit_id":"c1db8b54146f9c79caebecdd2147beb3481390c8"},{"author":{"_account_id":4190,"name":"lifeless","email":"robertc@robertcollins.net","username":"lifeless"},"change_message_id":"cae88941eba7797f834aa025263f9b7cc482b859","unresolved":false,"context_lines":[{"line_number":61,"context_line":"and to add the necessary documentation to the docs repository."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"Note that improperly implemented CORS_ support is a security concern, and"},{"line_number":64,"context_line":"this should be highlighted in the documentation."},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"Alternatives"},{"line_number":67,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"5afe65bd_f3b5527e","line":64,"updated":"2015-06-01 23:09:22.000000000","message":"Is there anything we can do (that isn\u0027t already done) to make it fail closed? That is, if someone hasn\u0027t configured it, make sure the middleware turns itself off well. Also perhaps look for well known misconfigurations, if such things exist.","commit_id":"c1db8b54146f9c79caebecdd2147beb3481390c8"},{"author":{"_account_id":4190,"name":"lifeless","email":"robertc@robertcollins.net","username":"lifeless"},"change_message_id":"a0abbf1cce39e278efaaaeb8f05ea4ced01d29e4","unresolved":false,"context_lines":[{"line_number":61,"context_line":"and to add the necessary documentation to the docs repository."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"Note that improperly implemented CORS_ support is a security concern, and"},{"line_number":64,"context_line":"this should be highlighted in the documentation."},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"Alternatives"},{"line_number":67,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"5afe65bd_0de1b9d0","line":64,"in_reply_to":"5afe65bd_34dcc7e3","updated":"2015-06-02 21:46:59.000000000","message":"I think its worth adding here then, something like...\n\n\"The oslo_middleware implementation defaults to inactive, and its documentation already covers key security concerns.\"","commit_id":"c1db8b54146f9c79caebecdd2147beb3481390c8"},{"author":{"_account_id":9717,"name":"Michael Krotscheck","email":"krotscheck@gmail.com","username":"krotscheck"},"change_message_id":"c74c11bea0ed1ecfffb44b5863f0f8509f604382","unresolved":false,"context_lines":[{"line_number":61,"context_line":"and to add the necessary documentation to the docs repository."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"Note that improperly implemented CORS_ support is a security concern, and"},{"line_number":64,"context_line":"this should be highlighted in the documentation."},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"Alternatives"},{"line_number":67,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"5afe65bd_34dcc7e3","line":64,"in_reply_to":"5afe65bd_f3b5527e","updated":"2015-06-02 20:50:20.000000000","message":"The provided middleware, if not configured, does nothing. The documentation also has an explicit callout for the \"*\" allowed domain setting, which clearly indicates that it is not recommended (though we have to support it to implement the spec fully).","commit_id":"c1db8b54146f9c79caebecdd2147beb3481390c8"},{"author":{"_account_id":4190,"name":"lifeless","email":"robertc@robertcollins.net","username":"lifeless"},"change_message_id":"cae88941eba7797f834aa025263f9b7cc482b859","unresolved":false,"context_lines":[{"line_number":73,"context_line":"address the problem of services such as Ironic, which represents its resource"},{"line_number":74,"context_line":"links in a strictly RESTful fashion. In that case, the proxy would have to read"},{"line_number":75,"context_line":"every request and response, and replace all link references to Ironic with"},{"line_number":76,"context_line":"references to itself."},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"Implementation"},{"line_number":79,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"5afe65bd_f39e7206","line":76,"updated":"2015-06-01 23:09:22.000000000","message":"The Ironic case in other API servers I\u0027ve seen is addressed by making it possible to tell Ironic its actual public endpoint location, so it can generate correct resource links. If Ironic doesn\u0027t have this capability today, its a bug - since it won\u0027t (for instance) generate https:// links, but we\u0027d expect Ironic\u0027s API to be behind an SSL proxy that owns the keys, for privilege separation [even though they may be on the same box]. See under heartbleed.\n\nAs such, I don\u0027t think the Ironic case is a strong counterpoint here - a stronger one is the one I mentioned above, about the ability for entirely separate UIs to be built.","commit_id":"c1db8b54146f9c79caebecdd2147beb3481390c8"},{"author":{"_account_id":4190,"name":"lifeless","email":"robertc@robertcollins.net","username":"lifeless"},"change_message_id":"a0abbf1cce39e278efaaaeb8f05ea4ced01d29e4","unresolved":false,"context_lines":[{"line_number":73,"context_line":"address the problem of services such as Ironic, which represents its resource"},{"line_number":74,"context_line":"links in a strictly RESTful fashion. In that case, the proxy would have to read"},{"line_number":75,"context_line":"every request and response, and replace all link references to Ironic with"},{"line_number":76,"context_line":"references to itself."},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"Implementation"},{"line_number":79,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"5afe65bd_ada4e5a5","line":76,"in_reply_to":"5afe65bd_6a0c9494","updated":"2015-06-02 21:46:59.000000000","message":"I don\u0027t think it would make it more or less clear. The issue is that that style of RESTy API requires a configuration knob, or it will simply fail to work in a wide range of deployment scenarios. Jenkins had this problem back in its deep past, for instance. As such I don\u0027t think the existence of such a not-yet-fixed API server in the OpenStack tent is an argument for, or against, CORS.\n\nI think the alternative here, which is to have a single namespace [there are many implementations to achieve that], can be done very cleanly; the introduction of the case where content rewriting is needed is IMO a strawman argument since it is a bug to have such a backend API, and those APIs are fixable.\n\nI think saying:\n\nOne alternative is to provide a proxy, much like horizon\u0027s implementation, or\na well configured Apache mod_proxy. It would require additional documentation\tthat teaches UI development teams on how to implement and build on it. These options are already available and well documented, however they do not enable experimentation or deployment of alternative UIs in the same way that CORS can since they require the UI to be hosted in the same endpoint; which requires either close deployement cooperation or deployment of a proxy-per-UI. CORS can permit UIs to be deployed using static files, allowing much lower cost-of-entry overheads.\n\nIs entirely sufficient and avoids depending on an argument that is at best transient.","commit_id":"c1db8b54146f9c79caebecdd2147beb3481390c8"},{"author":{"_account_id":9717,"name":"Michael Krotscheck","email":"krotscheck@gmail.com","username":"krotscheck"},"change_message_id":"c74c11bea0ed1ecfffb44b5863f0f8509f604382","unresolved":false,"context_lines":[{"line_number":73,"context_line":"address the problem of services such as Ironic, which represents its resource"},{"line_number":74,"context_line":"links in a strictly RESTful fashion. In that case, the proxy would have to read"},{"line_number":75,"context_line":"every request and response, and replace all link references to Ironic with"},{"line_number":76,"context_line":"references to itself."},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"Implementation"},{"line_number":79,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"5afe65bd_6a0c9494","line":76,"in_reply_to":"5afe65bd_f39e7206","updated":"2015-06-02 20:50:20.000000000","message":"I\u0027m using Ironic as an example of a particular style of RESTy API\u0027s, ones that express their resource relationships as absolute URI\u0027s. This spec is not there to have an opinion on whether the configurability of the base of that URI is a bug or not.\n\nPerhaps removing direct references to Ironic would make this segment clearer?","commit_id":"c1db8b54146f9c79caebecdd2147beb3481390c8"},{"author":{"_account_id":10343,"name":"Jim Rollenhagen","email":"jim@jimrollenhagen.com","username":"jimrollenhagen"},"change_message_id":"c82a43eb69efd185e3f1f6561d5fa382ae2dc24b","unresolved":false,"context_lines":[{"line_number":92,"context_line":"  This includes, but is not restricted to: Nova, Glance, Neutron, Cinder,"},{"line_number":93,"context_line":"  Keystone, Ceilometer, Heat, Trove, Sahara, and Ironic."},{"line_number":94,"context_line":"- Propose refactor to use `CORS Middleware`_ to OpenStack API\u0027s that already"},{"line_number":95,"context_line":"  support it via other means. This includes, but is not restricted to: Swift."},{"line_number":96,"context_line":"- Write documentation for CORS configuration."},{"line_number":97,"context_line":"  - The authoritative content will live in the Cloud Admin Guide."},{"line_number":98,"context_line":"  - The Security Guide will contain a comment and link to the Cloud Admin Guide."}],"source_content_type":"text/x-rst","patch_set":5,"id":"7a016987_fbc3cc88","line":95,"updated":"2015-05-26 21:39:08.000000000","message":"As Swift does per-container CORS (which I presume relies on the database, not config options), I think it will take some more work on the CORS middleware to accomplish this (and make CORS work for general Swift API endpoints).","commit_id":"c1db8b54146f9c79caebecdd2147beb3481390c8"},{"author":{"_account_id":9717,"name":"Michael Krotscheck","email":"krotscheck@gmail.com","username":"krotscheck"},"change_message_id":"9218009513e9ffb62305f3653015507cd12ec6d6","unresolved":false,"context_lines":[{"line_number":92,"context_line":"  This includes, but is not restricted to: Nova, Glance, Neutron, Cinder,"},{"line_number":93,"context_line":"  Keystone, Ceilometer, Heat, Trove, Sahara, and Ironic."},{"line_number":94,"context_line":"- Propose refactor to use `CORS Middleware`_ to OpenStack API\u0027s that already"},{"line_number":95,"context_line":"  support it via other means. This includes, but is not restricted to: Swift."},{"line_number":96,"context_line":"- Write documentation for CORS configuration."},{"line_number":97,"context_line":"  - The authoritative content will live in the Cloud Admin Guide."},{"line_number":98,"context_line":"  - The Security Guide will contain a comment and link to the Cloud Admin Guide."}],"source_content_type":"text/x-rst","patch_set":5,"id":"7a016987_e8149d44","line":95,"in_reply_to":"7a016987_fbc3cc88","updated":"2015-05-29 16:57:01.000000000","message":"Honestly, the way CORS (and middleware) works I feel that this will simply layer on top of what Swift already does. If the request matches the general API rules, it is likely to bypass the DB api rules and vice versa.","commit_id":"c1db8b54146f9c79caebecdd2147beb3481390c8"}]}