search

lensesio / schema-registry-ui

Web tool for Avro Schema Registry |
http://lenses.io/product/features
420 stars 112 forks source link

Read-only version of the Schema Registry UI #68

Closed kalbmj closed 6 years ago

kalbmj commented 6 years ago

Hello, What configuration / ENV vars would be necessary in order to make this UI read only (no edit/create/delete abilities)?

Thanks in advance.

andmarios commented 6 years ago

Hi @kalbmj. For now we only support disabling schema deletion via the option allowSchemaDeletion in env.js. If you use our docker image, you can use the environment variable ALLOW_DELETION=0 instead.

We don't support disabling the edit and create schema functionality.

Please note though that even if we supported them, it would just be a false sense of security. In order for Schema Registry UI to work, your browser has to be able to access the Schema Registry itself. So even if the UI does not allow you to edit a schema, you can always fire up your terminal and use curl or any other application that can do POST http requests and do it manually.

kalbmj commented 6 years ago

Thanks @andmarios

Antwnis commented 6 years ago

@kalbmj You can actually control this at a proxy-ing level

I.e. if serving this UI through nginx instead of 

access.control.allow.methods=GET,POST,PUT,OPTIONS

You can use

access.control.allow.methods=GET,OPTIONS

That means that all (PUT + POST) will be blocked by the web-server, serving / proxying requests

yuha0 commented 5 years ago

@andmarios While I understand that implementing read-only does not improve security, I would argue that it is a reasonable feature to add. What's the reason behind implementing ALLOW_DELETION but not create/edit? What makes deletion so special? In my understanding, create/edit/delete are all "write" actions, and disabling deletion alone is not very useful.

jglambed commented 5 years ago

Hello @yuha0 As per #87 we now have a READ ONLY version thanks to @fstaudt. The default value is false but you can control it with the docker var READONLY_MODE or readonlyMode in the env.js file.

yuha0 commented 5 years ago

@jglambed Thanks. I didn't notice that issue. I tried the environment variable and it didn't work. I can still create new schema and edit existing one:

> docker run --name registry-ui --rm -p 9005:8000 -e SCHEMAREGISTRY_URL=http://my-schema-registry-url:8081 -e READONLY_MODE=1 -e P
ROXY=true schema-registry-ui:latest
Landoop Schema Registry UI 0.9.5
Visit <https://github.com/Landoop/schema-registry-ui/tree/master/docker>
to find more about how you can configure this container.

Enabling proxy.
Enabling readonly mode.
Setting Schema Registry URL to /api/schema-registry.
Note: if you use a PORT lower than 1024, please note that schema-registry-ui can
now run under any user. In the future a non-root user may become the default.
In this case you will have to explicitly allow binding to such ports, either by
setting the root user or something like '--sysctl net.ipv4.ip_unprivileged_port_start=0'.

Activating privacy features... done.
http://0.0.0.0:8000
172.17.0.1 - - [05/Jun/2019:17:46:33 +0000] "POST /api/schema-registry/subjects/test/versions HTTP/1.1" 200 10
172.17.0.1 - - [05/Jun/2019:17:46:33 +0000] "GET /api/schema-registry/subjects/ HTTP/1.1" 200 92
172.17.0.1 - - [05/Jun/2019:17:46:33 +0000] "GET /api/schema-registry/subjects/test/versions/ HTTP/1.1" 200 3
172.17.0.1 - - [05/Jun/2019:17:46:33 +0000] "GET /api/schema-registry/config HTTP/1.1" 200 53
172.17.0.1 - - [05/Jun/2019:17:46:33 +0000] "GET /api/schema-registry/config/test HTTP/1.1" 404 51
172.17.0.1 - - [05/Jun/2019:17:46:33 +0000] "GET /api/schema-registry/subjects/test/versions/latest HTTP/1.1" 200 211
...
...
172.17.0.1 - - [05/Jun/2019:17:46:33 +0000] "GET /api/schema-registry/subjects/test/versions/6 HTTP/1.1" 200 211
172.17.0.1 - - [05/Jun/2019:17:46:33 +0000] "GET /api/schema-registry/subjects/test/versions/ HTTP/1.1" 200 3
...
...
172.17.0.1 - - [05/Jun/2019:17:46:42 +0000] "POST /api/schema-registry/compatibility/subjects/test/versions/latest HTTP/1.1" 200 42
172.17.0.1 - - [05/Jun/2019:17:46:44 +0000] "POST /api/schema-registry/compatibility/subjects/test/versions/latest HTTP/1.1" 200 42
172.17.0.1 - - [05/Jun/2019:17:46:44 +0000] "POST /api/schema-registry/subjects/test/versions HTTP/1.1" 200 10
172.17.0.1 - - [05/Jun/2019:17:46:44 +0000] "GET /api/schema-registry/subjects/ HTTP/1.1" 200 92
172.17.0.1 - - [05/Jun/2019:17:46:44 +0000] "GET /api/schema-registry/subjects/test/versions/ HTTP/1.1" 200 5
172.17.0.1 - - [05/Jun/2019:17:46:44 +0000] "GET /api/schema-registry/config/test HTTP/1.1" 404 51
172.17.0.1 - - [05/Jun/2019:17:46:44 +0000] "GET /api/schema-registry/config HTTP/1.1" 200 53
172.17.0.1 - - [05/Jun/2019:17:46:44 +0000] "GET /api/schema-registry/subjects/test/versions/latest HTTP/1.1" 200 199
...
...
172.17.0.1 - - [05/Jun/2019:17:46:44 +0000] "GET /api/schema-registry/subjects/test/versions/latest HTTP/1.1" 200 199
...
...
172.17.0.1 - - [05/Jun/2019:17:46:44 +0000] "GET /api/schema-registry/subjects/test/versions/7 HTTP/1.1" 200 199
...
...
fstaudt commented 5 years ago

Option will only be available in next release (0.9.6?), it is not yet available

yuha0 commented 5 years ago

@fstaudt Thanks! I will wait for the release then.

That option is in the documentation in the docker image repo and I saw Enabling readonly mode. in the log. Those are kind of misleading though...

fstaudt commented 5 years ago

Latest image of schema-registry-ui has been generated 13 days ago when my PR was accepted. I had not seen it but it's possible that it already contains the readonly feature.

yuha0 commented 5 years ago

So it is not implemented correctly? I can confirm I am using the latest tag, which was pushed 13 days ago.

fstaudt commented 5 years ago

Logs still show version 0.9.5. I don't think the latest image already include the feature.

It is indeed misleading. I only provided the PR, I'm not aware of the release process