Commit 9f27c235 authored by LETORT Sebastien's avatar LETORT Sebastien

Merge django in metrics.

parents a743a6a1 979954ef
Pipeline #88845 passed with stages
in 2 minutes and 38 seconds
This diff is collapsed.
......@@ -31,6 +31,13 @@ Each environment has its own docker network. The nginx container is connected
to all these networks.
License
-------
GNU AFFERO GENERAL PUBLIC LICENSE
https://www.gnu.org/licenses/agpl-3.0.html
Conventions
-----------
......
......@@ -7,6 +7,6 @@ app_name = 'api'
urlpatterns = [
url(r'^jobs$', views.jobs, name='jobs'),
url(r'^jobs/(?P<pk>\d+)', views.APIJobView.as_view(), name='job'),
url(r'^datastore/(?P<pk>\d+)/(.*)/(.*)', views.APIDownloadView.as_view(), name='download'),
url(r'^datastore/(?P<pk>\d+)/(.*)', views.APIDownloadView.as_view(), name='download'),
url(r'^metrics/(?P<what>\w+)/(?P<app_id>\d+)', views.Metrics.as_view(), name='metrics'),
]
......@@ -163,6 +163,5 @@ def jobs(request):
class APIDownloadView(JobAuthMixin, View):
def get(self, request, *args, **kwargs):
jobid = args[0]
filename = args[1]
return redirect("/datastore/%s/%s" % (jobid, filename))
log.error("datastore requests must be served by nginx (bad config!)")
return JsonResponse({'error': 'Internal Server Error'}, status=500)
......@@ -179,9 +179,12 @@ def get_base_url(request):
def get_request_user(request):
"""Return the authenticated user from the provided request
The authentication is attempted:
- first with the session cookie
- then with the token provided in the HTTP Authorization header
Depending on the request path, the authentication is attempted on:
- the token provided in the HTTP Authorization header for /api/ urls
- the session cookie for other urls
In case of /auth requests we assume that 'X-Original-URI' is the path of
the current request.
Args:
request
......
......@@ -1528,7 +1528,7 @@ def auth(request):
return HttpResponse(status=401)
# find the relevant job
mo = re.match(r'/datastore/(\d+)/', request.META['HTTP_X_ORIGINAL_URI'])
mo = re.match(r'(?:/api/v1)?/datastore/(\d+)/', request.META['HTTP_X_ORIGINAL_URI'])
if mo:
job = Job.objects.filter(id=int(mo.group(1))).first()
if job is not None and job.user == user:
......
......@@ -15,37 +15,48 @@ server
client_body_in_file_only clean;
client_body_buffer_size 32K;
# Disabled until #227 is implemented
#
# # registry endpoints
# # - forwarded to the registry
# # - except manifest push/pull -> forwarded through the django server (to
# # guarantee that the db is transactionally updated)
# location /v2/
# {
# proxy_pass {ALLGO_REGISTRY_PRIVATE_URL}/v2/;
# proxy_redirect off;
# proxy_buffering off;
#
# location ~ ^/v2/.*/manifests/[^/]*$ {
# proxy_pass http://aio;
# }
# }
# ----
# location are presented in their application/priority order
# allgo async endpoints
location /aio/
location /api/
{ # The CORS config allows any origin. These endpoints MUST NOT use
# authentication by cookie.
if ($request_method = 'OPTIONS')
{
proxy_pass http://aio/aio/;
proxy_redirect off;
proxy_buffering off;
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
# Custom headers and headers various browsers *should* be OK with but aren't
add_header 'Access-Control-Allow-Headers' 'Content-Type,Authorization';
return 204;
}
location /api/v1/
{ # it's not illegal access, go through django
add_header Access-Control-Allow-Origin "*";
proxy_pass http://django;
proxy_redirect off; # work without it, maybe it's bad to remove it
location ~ /datastore/([0-9]+)/(.*)$ {
# header set to distinguish between requests going directly from nginx and
# requests going through aio
#
# This is a security feature. Django trusts this value (like the
# X-Forwarded-* headers), do not remove it !
proxy_set_header X-Origin "nginx";
}
location /api/v1/datastore/
{ # it's not illegal access, access to static file
autoindex on;
auth_request /auth;
auth_request_set $auth_status $upstream_status;
root /vol/rw/;
alias /vol/rw/datastore/;
# This is a security measure (DO NOT REMOVE)
......@@ -56,8 +67,12 @@ server
#
disable_symlinks on;
}
} #location /api/
location = /auth {
location = /auth
{ # call the auth view in django
# = grant that only known user can go through
internal;
proxy_pass http://django/auth;
proxy_redirect off;
......@@ -65,39 +80,17 @@ server
}
# allgo endpoints
# - static files served directly by nginx
# - other requests forwarded to the django server
location /
{
sendfile on;
send_timeout 300s;
keepalive_timeout 5;
root /var/www/html;
try_files $uri/index.html $uri.html $uri @django;
}
location /api/v1
{
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
# Custom headers and headers various browsers *should* be OK with but aren't
#
add_header 'Access-Control-Allow-Headers' 'Content-Type,Authorization';
return 204;
location /aio/
{ # allgo async endpoints
proxy_pass http://aio/aio/;
proxy_redirect off;
proxy_buffering off;
}
add_header Access-Control-Allow-Origin "*";
# proxy_redirect off; # work without it, maybe it's bad to remove it
location @django
{ # simple access to the web site
proxy_redirect off;
proxy_pass http://django;
# header set to distinguish between requests going directly from nginx and
......@@ -108,18 +101,50 @@ server
proxy_set_header X-Origin "nginx";
}
location @django
{
proxy_redirect off;
proxy_pass http://django;
# header set to distinguish between requests going directly from nginx and
# requests going through aio
# Disabled until #227 is implemented
#
# # registry endpoints
# # - forwarded to the registry
# # - except manifest push/pull -> forwarded through the django server (to
# # guarantee that the db is transactionally updated)
# location /v2/
# {
# proxy_pass {ALLGO_REGISTRY_PRIVATE_URL}/v2/;
# proxy_redirect off;
# proxy_buffering off;
#
# location ~ ^/v2/.*/manifests/[^/]*$ {
# proxy_pass http://aio;
# }
# }
location /datastore/
{ # access to static files
autoindex on;
auth_request /auth;
auth_request_set $auth_status $upstream_status;
alias /vol/rw/datastore/;
# This is a security measure (DO NOT REMOVE)
#
# This is a security feature. Django trusts this value (like the
# X-Forwarded-* headers), do not remove it !
proxy_set_header X-Origin "nginx";
# By default nginx follows symbolic links, which would be a major
# vulnerability because jobs could create symbolic links to any file
# inside django container (like the secret key for signing tokens)
#
disable_symlinks on;
}
location /
{ # allgo endpoints
# - static files served directly by nginx
# - other requests forwarded to the django server
sendfile on;
send_timeout 300s;
}
keepalive_timeout 5;
root /var/www/html;
try_files $uri/index.html $uri.html $uri @django;
}
} #server
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment