ArafatKhan2198 commented on PR #8933: URL: https://github.com/apache/ozone/pull/8933#issuecomment-3179055855
> > The custom headers we added (like `X-Requested-With: OzoneAdminCLI`) ensure that only our OZONE CLI can trigger the rebuild - browsers and casual web requests get blocked. > > Not really. Browsers and tools like `curl` can send custom HTTP headers. This should require authentication and proper admin privilege check in Recon to prevent DoS attacks. I agree — right now the only enforcement is Kerberos (SPNEGO), so anyone who runs kinit can call the Recon API (curl, CLI, browser) — custom headers don’t stop that and don’t prevent DoS. We should either add proper authorization checks + rate limiting (and audit) or avoid exposing this API endpoint. My idea of custom headers was misleading — they’re for convenience/identification, not security; they help distinguish CLI requests from casual browser access but are trivial to bypass. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
