Closed kalbmj closed 6 years ago
Hi @kalbmj. For now we only support disabling schema deletion via the option allowSchemaDeletion
in env.js
. If you use our docker image, you can use the environment variable ALLOW_DELETION=0
instead.
We don't support disabling the edit and create schema functionality.
Please note though that even if we supported them, it would just be a false sense of security. In order for Schema Registry UI to work, your browser has to be able to access the Schema Registry itself. So even if the UI does not allow you to edit a schema, you can always fire up your terminal and use curl
or any other application that can do POST
http requests and do it manually.
Thanks @andmarios
@kalbmj You can actually control this at a proxy-ing level
I.e. if serving this UI through nginx instead of
access.control.allow.methods=GET,POST,PUT,OPTIONS
You can use
access.control.allow.methods=GET,OPTIONS
That means that all (PUT + POST) will be blocked by the web-server, serving / proxying requests
@andmarios While I understand that implementing read-only does not improve security, I would argue that it is a reasonable feature to add. What's the reason behind implementing ALLOW_DELETION
but not create/edit? What makes deletion so special? In my understanding, create/edit/delete are all "write" actions, and disabling deletion alone is not very useful.
Hello @yuha0
As per #87 we now have a READ ONLY version thanks to @fstaudt.
The default value is false but you can control it with the docker var READONLY_MODE
or readonlyMode
in the env.js
file.
@jglambed Thanks. I didn't notice that issue. I tried the environment variable and it didn't work. I can still create new schema and edit existing one:
> docker run --name registry-ui --rm -p 9005:8000 -e SCHEMAREGISTRY_URL=http://my-schema-registry-url:8081 -e READONLY_MODE=1 -e P
ROXY=true schema-registry-ui:latest
Landoop Schema Registry UI 0.9.5
Visit <https://github.com/Landoop/schema-registry-ui/tree/master/docker>
to find more about how you can configure this container.
Enabling proxy.
Enabling readonly mode.
Setting Schema Registry URL to /api/schema-registry.
Note: if you use a PORT lower than 1024, please note that schema-registry-ui can
now run under any user. In the future a non-root user may become the default.
In this case you will have to explicitly allow binding to such ports, either by
setting the root user or something like '--sysctl net.ipv4.ip_unprivileged_port_start=0'.
Activating privacy features... done.
http://0.0.0.0:8000
172.17.0.1 - - [05/Jun/2019:17:46:33 +0000] "POST /api/schema-registry/subjects/test/versions HTTP/1.1" 200 10
172.17.0.1 - - [05/Jun/2019:17:46:33 +0000] "GET /api/schema-registry/subjects/ HTTP/1.1" 200 92
172.17.0.1 - - [05/Jun/2019:17:46:33 +0000] "GET /api/schema-registry/subjects/test/versions/ HTTP/1.1" 200 3
172.17.0.1 - - [05/Jun/2019:17:46:33 +0000] "GET /api/schema-registry/config HTTP/1.1" 200 53
172.17.0.1 - - [05/Jun/2019:17:46:33 +0000] "GET /api/schema-registry/config/test HTTP/1.1" 404 51
172.17.0.1 - - [05/Jun/2019:17:46:33 +0000] "GET /api/schema-registry/subjects/test/versions/latest HTTP/1.1" 200 211
...
...
172.17.0.1 - - [05/Jun/2019:17:46:33 +0000] "GET /api/schema-registry/subjects/test/versions/6 HTTP/1.1" 200 211
172.17.0.1 - - [05/Jun/2019:17:46:33 +0000] "GET /api/schema-registry/subjects/test/versions/ HTTP/1.1" 200 3
...
...
172.17.0.1 - - [05/Jun/2019:17:46:42 +0000] "POST /api/schema-registry/compatibility/subjects/test/versions/latest HTTP/1.1" 200 42
172.17.0.1 - - [05/Jun/2019:17:46:44 +0000] "POST /api/schema-registry/compatibility/subjects/test/versions/latest HTTP/1.1" 200 42
172.17.0.1 - - [05/Jun/2019:17:46:44 +0000] "POST /api/schema-registry/subjects/test/versions HTTP/1.1" 200 10
172.17.0.1 - - [05/Jun/2019:17:46:44 +0000] "GET /api/schema-registry/subjects/ HTTP/1.1" 200 92
172.17.0.1 - - [05/Jun/2019:17:46:44 +0000] "GET /api/schema-registry/subjects/test/versions/ HTTP/1.1" 200 5
172.17.0.1 - - [05/Jun/2019:17:46:44 +0000] "GET /api/schema-registry/config/test HTTP/1.1" 404 51
172.17.0.1 - - [05/Jun/2019:17:46:44 +0000] "GET /api/schema-registry/config HTTP/1.1" 200 53
172.17.0.1 - - [05/Jun/2019:17:46:44 +0000] "GET /api/schema-registry/subjects/test/versions/latest HTTP/1.1" 200 199
...
...
172.17.0.1 - - [05/Jun/2019:17:46:44 +0000] "GET /api/schema-registry/subjects/test/versions/latest HTTP/1.1" 200 199
...
...
172.17.0.1 - - [05/Jun/2019:17:46:44 +0000] "GET /api/schema-registry/subjects/test/versions/7 HTTP/1.1" 200 199
...
...
Option will only be available in next release (0.9.6?), it is not yet available
@fstaudt Thanks! I will wait for the release then.
That option is in the documentation in the docker image repo and I saw Enabling readonly mode.
in the log. Those are kind of misleading though...
Latest image of schema-registry-ui has been generated 13 days ago when my PR was accepted. I had not seen it but it's possible that it already contains the readonly feature.
So it is not implemented correctly? I can confirm I am using the latest tag, which was pushed 13 days ago.
Logs still show version 0.9.5. I don't think the latest image already include the feature.
It is indeed misleading. I only provided the PR, I'm not aware of the release process
Hello, What configuration / ENV vars would be necessary in order to make this UI read only (no edit/create/delete abilities)?
Thanks in advance.