Description of problem: Developing a Webapp using js and trying to create a tenant and then create quotas for that tenant. I was able to create the tenant, then from response, I got the id and call the api to create a quota for that tenant. However, I don't get the cors from /api/tenants/:id/quotas and get 404 error. Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://localhost/api/tenants/1000000000140/quotas. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://localhost/api/tenants/1000000000140/quotas. (Reason: CORS request did not succeed). Version-Release number of selected component (if applicable): cfme-5.9.2 How reproducible: Always Steps to Reproduce: 1. Create tenant using js 2. Get tenant id 3. Using tenant id, create quotas for it. Actual results: CORS request did not succeed Expected results: CORS request should succeed Additional info: /api/tenants/:id/quotas doesn't return correct headers.
Can you please try to recreate this issue outside of the js code you've included? It's not clear if this is an issue with the API or the js that is calling it. Thanks!
Hi Greg, Thank you for your reply. I am able to create the tenant and quota via api on my test system and status is 200 OK. I have created them as follows: ~~~ ### Tenant create ### { "action" : "create", "resource" : { "name": "tenantapi", "description": "Tenant for api", "parent": {"id": "99000000000001"} } } ### Quota create ### { "action" : "create", "resources" : [ { "name" : "cpu_allocated", "value" : 1 }, { "name": "mem_allocated", "value": 2147483648000 } ] } ~~~ However, customer is facing this issue with js. He able to create the tenant and groups via js but facing CORS error while creating quotas. The /api/tenants/:id/quotas is not returning correct headers. All we have to do is opt-in to CORS requests on cfme API server by returning the proper headers based on the request. Regards, Niks
https://github.com/ManageIQ/manageiq-api/pull/495
New commit detected on ManageIQ/manageiq-api/master: https://github.com/ManageIQ/manageiq-api/commit/5edf913e6ae26c3a6f5f6bb9836c1d2776fbb52d commit 5edf913e6ae26c3a6f5f6bb9836c1d2776fbb52d Author: Joe VLcek <jvlcek> AuthorDate: Tue Oct 16 14:41:38 2018 -0400 Commit: Joe VLcek <jvlcek> CommitDate: Tue Oct 16 14:41:38 2018 -0400 Add subcollection options support for CORS prefilghted requests https://bugzilla.redhat.com/show_bug.cgi?id=1599259 app/controllers/api/base_controller.rb | 6 +- config/routes.rb | 3 + spec/requests/tenant_quotas_spec.rb | 6 + 3 files changed, 14 insertions(+), 1 deletion(-)
New commit detected on ManageIQ/manageiq-api/hammer: https://github.com/ManageIQ/manageiq-api/commit/9b4e42018e90d95bc0d46cfe970859ee82386146 commit 9b4e42018e90d95bc0d46cfe970859ee82386146 Author: Alberto Bellotti <abellotti.github.com> AuthorDate: Thu Oct 18 16:14:04 2018 -0400 Commit: Alberto Bellotti <abellotti.github.com> CommitDate: Thu Oct 18 16:14:04 2018 -0400 Merge pull request #495 from jvlcek/bz_1599259_CORS Add subcollection options support for CORS prefilghted requests (cherry picked from commit 3502e51181ce92c28866a4626fdfadf0d31bd591) https://bugzilla.redhat.com/show_bug.cgi?id=1599259 app/controllers/api/base_controller.rb | 6 +- config/routes.rb | 3 + spec/requests/tenant_quotas_spec.rb | 6 + 3 files changed, 14 insertions(+), 1 deletion(-)
FIXED. Verified on 5.10.0.24.20181113213923_03b81fd. Steps taken to verify the BZ: 1) Create `tenant` using API. Request: POST /api/tenants Query: { "name" : "Test Tenant", "description" : "Test Tenant Description", "parent" : { "href" : "http://<ip_address>/api/tenants/:id" } } 2) Create quota for the tenant. Request: POST /api/tenants/:id/quotas Query: { "name" : "cpu_allocated", "value" : 1 } 3) Send `OPTIONS` to /api/tenants/:id/quotas and check HEADER. HEADERS: Date: Wed, 21 Nov 2018 07:08:21 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips mod_auth_gssapi/1.5.1 mod_auth_kerb/5.4 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: origin, content-type, authorization, x-auth-token Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS Content-Type: application/json; charset=utf-8 Content-Security-Policy: default-src 'self'; connect-src 'self'; frame-src 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self'; style-src 'unsafe-inline' 'self'; report-uri /dashboard/csp_report Strict-Transport-Security: max-age=631152000 X-Content-Type-Options: nosniff X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block Cache-Control: no-cache X-Request-Id: d0a3cbba-1c51-4781-a695-903088ec8bc6 X-Runtime: 0.013794 Content-Length: 0 These are headers from the request sent to a 5.9.2 appliance. Date: Wed, 21 Nov 2018 07:08:54 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips mod_auth_kerb/5.4 Content-Type: text/html; charset=utf-8 X-Request-Id: 4fdae38a-5977-4244-918f-e4a0b966be6f X-Runtime: 0.003523 Content-Length: 728 This was not verified via AJAX Request. I checked via CURL and verified that `Access-Control-Allow-Origin` was present in the HEADER of OPTIONS request sent to a 5.10.0.24 appliance, which was earlier not present in the HEADER of OPTIONS request sent to a 5.9.2 appliance.