Environment
Affected versions:
- Yugabyte Platform (Yugaware) for Replicated and Kubernetes:
- 2.4.x
- 2.6.x
Fixed in:
-
- 2.8.0+
- 2.12.1+
Issue
When attempting to log into the Yugabyte Platform (Yugaware) Admin Console, clicking the "Login" button will appear to do nothing. The following message will be present in the logs from the `yugaware` container:
$ sudo docker container logs yugaware | grep "Invalid CORS"
WARN AbstractCORSPolicy.scala:311 [application-akka.actor.default-dispatcher-2104] Invalid CORS request;Origin=Some(https://<hostname>:<port>);Method=GET;Access-Control-Request-Headers=None
Cause
In order to increase product security, Cross-Origin Resource Sharing (CORS) was implemented in Yugabyte platform as of version 2.4.0. As a result, the URL being used to access the Yugaware UI must match the hostname that is configured in the Platform. The hostname in the error message above shows the URL that was used in the https request.
The introduction of this feature is noted in the 2.4.0 release notes: "Enabling of CORS policy by default"
https://docs.yugabyte.com/latest/releases/release-notes/v2.4/
Resolution
YBA Installer
The "support_origin_url" field can be set in the "yba-ctl.yml" config file.
1. Locate the config file by running "sudo yba-ctl status"
YBA Url | Install Root | yba-ctl config | yba-ctl Logs |
https://10.11.0.3 | /opt/yugabyte | /opt/yba-ctl/yba-ctl.yml | /opt/yba-ctl/yba-ctl.log |
2. Open the file and find the "support_origin_url" line. Add in the appropriate hostname.
Example:
support_origin_url: "https://localhost:8443"
3. Run "sudo yba-ctl reconfigure" to apply the changes.
NOTE: This will bring down all YBA services to apply the changes.
Replicated
The Replicated UI allows an additional hostname or IP to be entered in the "Support Origin URL" field. Currently, only two hostnames or IPs are supported (one in "Hostname" and one in "Support Origin URL").
To configure these fields, click on "Settings" at the top, and then "Application config" on the left.
Kubernetes
In YugabyteDB Anywhere versions 2.8.x and newer - Update the CORS domains using yugaware/values.yaml
cpu: 2
memory: 4Gi
enableProxyMetricsAuth: true
## List of additional alowed CORS origins in case of complex rev-proxy
additionAllowedCorsOrigins: []
proxyEndpointTimeoutMs: 1 minute
# enables features specific for cloud deployments
## Enables features specific for cloud deployments
cloud:
enabled: false
Edit
additionAllowedCorsOrigins: ["< URL required for UI >"]
Manual Workarounds for Replicated and Kubernetes
NOTE: The workarounds are not persistent through reboots of Replicated and Kubernetes, and will need to be manually re-applied each time.
Workaround (Replicated)
NOTE: This workaround should only be used if an older version of Replicated is being used that does not have the "Support Origin URL" field, or more than two hostnames/IPs are needed.
The docker configuration file can be modified to add additional entries to the "allowedOrigins" field. This is the field that handles CORS enforcement.
allowedOrigins = ["https://<existing entry>", "< additional URL required >"]
This file is located in a path like so:
/var/lib/replicated-operator/5b626ef3e8b94d86676c176ab218fa0a/opt/yugabyte/yugaware/conf/application.docker.conf
You can find the file by using the following command:
$ hostname:~# sudo docker inspect yugaware | grep application.docker.conf | grep Source
"Source": "/var/lib/replicated-operator/5b626ef3e8b94d86676c176ab218fa0a/opt/yugabyte/yugaware/conf/application.docker.conf",
Once this is done, restart the yugaware container to apply the changes:
$ sudo docker restart yugaware
Workaround (Kubernetes)
The existing configuration can be checked using the following kubectl command (this assumes the namespace is "yb-platform"):
# hostname:~# kubectl describe configmaps -n yb-platform | grep 'application.docker.conf\|allowedOrigins'
application.docker.conf:
allowedOrigins = ["https://<existing entry>"]
The configmap can be modified to add additional entries to the "allowedOrigins" field. This is the field that handles CORS enforcement. For instance, if we wanted to add localhost on port 10443 to the configmap:
# hostname:~# kubectl edit configmaps -n yb-platform
application.docker.conf:
<snipped file content>
allowedOrigins = ["https://<existing entry>", "< additional URL required >"]
Apply the changes by deleting the pod and letting kubernetes regenerate it with the new config map.
# hostname:~# kubectl delete -n yb-platform pod/k8s-yugaware-0
Comments
0 comments
Please sign in to leave a comment.