Details
-
Bug
-
Status: Closed
-
Not a Priority
-
Resolution: Abandoned
-
1.10.0
-
None
-
None
Description
We were trying to build proxy that excluded all mutating operations and the documented rest API indicates that all mutating ops are always PUT/POST/PATCH etc and never GET.
However, then we took a look at the "cancel" feature in the UI and it uses an undocumented API that violates good REST practice by mutating on a GET.
The UI contains this comment ....
```
/**
- Uses the non REST-compliant GET yarn-cancel handler which is available in addition to the
- proper BASE_URL + "jobs/" + jobid + "?mode=cancel"
- @param jobId
*/
cancelJob(jobId: string) {
return this.httpClient.get(`${BASE_URL}/jobs/${jobId}/yarn-cancel`);
}
```
Why is this bending necessary?
Why not use a POST or other mutating method?
Why not use a documented API?
This kind of thing makes it difficult to trust the product and makes it difficult to build a secure deployment.
Any ideas?
==
Suggestion ...
There exists "web.submit.enabled" to turn off /jar features
What would also be useful is "web.cancel.enabled" to turn off the UI button and also the servicve endpoint.