Comments (5)
the standard set of http status codes doesn't always map well to our needs, and sometimes no code seems to be the exact right fit for a given use case.
You're right that 413 was never intended to be used this way, but neither was 403. 403 seems generally assumed to come from lacking authorization in a security context.
from metrictank.
@Dieterbe I understand but using 413 is really misleading as most of tools/libraries suggest this is problem with request size and not query evaluation issue (breaking limits) on server side.
Also understand that given 403 being used mainly in security context might be misleading/fuzzy as 413 is. Since explanation is provided in error response body what about using bare 400?
from metrictank.
most of tools/libraries suggest this is problem with request size
interesting. do you know of examples of this?
So I've been reading the RFC a bit more..
https://tools.ietf.org/html/rfc2616
413 and 400 are fairly explicit in the spec that they are meant for a different use then this. 413 you already pointed out, 400 is due to "The request could not be understood by the server due to malformed syntax."
Reading the 403 in more detail leads me to believe it has nothing to do with security, and anyone (including me :) ) treating it this way is wrong.
Because 401 covers both "you need to authenticate" and "you authenticated and you're login is not allowed to request this"
The mozilla "interpretation" if this status code seems to confirm
https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/403 says
403 Forbidden
The HTTP 403 Forbidden client error status response code indicates that the server understood the request but refuses to authorize it.
This status is similar to 401, but in this case, re-authenticating will make no difference. The access is permanently forbidden and tied to the application logic, such as insufficient rights to a resource.
for completeness, the RFC copy:
10.4.4 403 Forbidden
The server understood the request, but is refusing to fulfill it.
Authorization will not help and the request SHOULD NOT be repeated.
If the request method was not HEAD and the server wishes to make
public why the request has not been fulfilled, it SHOULD describe the
reason for the refusal in the entity. If the server does not wish to
make this information available to the client, the status code 404
(Not Found) can be used instead.
I now think 403 is the best choice for this use case.
from metrictank.
@Dieterbe Thanks for looking into this. I wanted to bring up "Authorization will not help and the request SHOULD NOT be repeated." - but had to agree with you that 403 is in real world used a lot in security context and that note can be easily interpreted like 401 "you authenticated and you're login is not allowed to request this" easily.
As for tools I was playing with API through few HTTP intercepting tools that give hints on bad results while building API client (tools like https://httptoolkit.tech/ or postman) and they mostly gave "invalid request" kind of hint.
from metrictank.
yep, let's do the right thing then and use 403.
thanks Ondrej !
from metrictank.
Related Issues (20)
- High priority / backlog on metric flush HOT 5
- MT-Whisper-Importer-Writer can get stuck on invalid requests HOT 1
- request: tag-native divide and asPercent functions HOT 9
- Panic and crash in chunk cache
- Add more logging with traceID HOT 2
- Ability to "revive" archived series HOT 15
- Support "archive" in tags/delByQuery HOT 2
- Stored 'lastupdate' being approximate can cause inconsistent missing data HOT 6
- deletes don't affect stale metrics. They may resurface if max-stale gets increased HOT 2
- Move to go modules for dependency management HOT 5
- Authentication in mt-gateway or document other way to proceed without tsdb-gw HOT 4
- Panic in mt-whisper-importer-reader HOT 1
- Conf parsing changes fail to parse regex HOT 2
- Multiple shards on same hardware node HOT 2
- metrictank memory issues HOT 6
- UnpartitionedMemoryIdx.Get does not check writeQueue
- MetricData messages in mdm topic poorly defined. make versioning explicit?
- Is the project stalled? HOT 2
- Control partition size using Cassandra as backend HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from metrictank.