From 4969e90f8a7bf0f925a757606c8e688e70ec57d7 Mon Sep 17 00:00:00 2001 From: "Joshua M. Boniface" Date: Fri, 29 Dec 2023 09:23:35 -0500 Subject: [PATCH] Allow enable/disable of Prometheus endpoints Since these are unauthenticated, it might be the case that an administrator wishes to completely disable these metrics endpoints. Provide that option via pvc.conf through pvc-ansible's existing enable_prometheus_exporters option and the new enable_prometheus configuration flag. Defaults to "yes" to provide all functionality unless explicitly disabled, as the author assumes that the PVC API is secured in other ways as well and that metric information is not completely sensitive. --- api-daemon/pvcapid/flaskapi.py | 38 ++++++++++++++++++++++++---------- daemon-common/config.py | 1 + pvc.sample.conf | 3 +++ 3 files changed, 31 insertions(+), 11 deletions(-) diff --git a/api-daemon/pvcapid/flaskapi.py b/api-daemon/pvcapid/flaskapi.py index d1262490..01f0a335 100755 --- a/api-daemon/pvcapid/flaskapi.py +++ b/api-daemon/pvcapid/flaskapi.py @@ -629,8 +629,9 @@ class API_Metrics(Resource): Return the current PVC cluster status in Prometheus-compatible metrics format and the Ceph cluster metrics as one document. - Endpoint is unauthenticated to allow metrics exfiltration without having to deal - with the Prometheus compatibility later. + Endpoint is UNAUTHENTICATED to allow metrics exfiltration without having to deal + with Prometheus compatibility (only basic auth support). Ensure this API endpoint + is only opened to trusted networks that cannot abuse the data provided! --- tags: - root @@ -657,7 +658,8 @@ class API_Metrics(Resource): return response -api.add_resource(API_Metrics, "/metrics") +if config["enable_prometheus"]: + api.add_resource(API_Metrics, "/metrics") # /metrics/health @@ -666,8 +668,9 @@ class API_Metrics_Health(Resource): """ Return the current PVC cluster health status in Prometheus-compatible metrics format - Endpoint is unauthenticated to allow metrics exfiltration without having to deal - with the Prometheus compatibility later. + Endpoint is UNAUTHENTICATED to allow metrics exfiltration without having to deal + with Prometheus compatibility (only basic auth support). Ensure this API endpoint + is only opened to trusted networks that cannot abuse the data provided! --- tags: - root @@ -691,7 +694,8 @@ class API_Metrics_Health(Resource): return response -api.add_resource(API_Metrics_Health, "/metrics/health") +if config["enable_prometheus"]: + api.add_resource(API_Metrics_Health, "/metrics/health") # /metrics/resource @@ -700,8 +704,9 @@ class API_Metrics_Resource(Resource): """ Return the current PVC cluster resource utilizations in Prometheus-compatible metrics format - Endpoint is unauthenticated to allow metrics exfiltration without having to deal - with the Prometheus compatibility later. + Endpoint is UNAUTHENTICATED to allow metrics exfiltration without having to deal + with Prometheus compatibility (only basic auth support). Ensure this API endpoint + is only opened to trusted networks that cannot abuse the data provided! --- tags: - root @@ -725,7 +730,8 @@ class API_Metrics_Resource(Resource): return response -api.add_resource(API_Metrics_Resource, "/metrics/resource") +if config["enable_prometheus"]: + api.add_resource(API_Metrics_Resource, "/metrics/resource") # /metrics/ceph @@ -736,6 +742,10 @@ class API_Metrics_Ceph(Resource): Proxies a metrics request to the current active MGR, since this is dynamic and can't be controlled by PVC easily. + + Endpoint is UNAUTHENTICATED to allow metrics exfiltration without having to deal + with Prometheus compatibility (only basic auth support). Ensure this API endpoint + is only opened to trusted networks that cannot abuse the data provided! --- tags: - root @@ -759,7 +769,8 @@ class API_Metrics_Ceph(Resource): return response -api.add_resource(API_Metrics_Ceph, "/metrics/ceph") +if config["enable_prometheus"]: + api.add_resource(API_Metrics_Ceph, "/metrics/ceph") # /metrics/zookeeper @@ -770,6 +781,10 @@ class API_Metrics_Zookeeper(Resource): Proxies a metrics request to the current primary node, since all coordinators run an active Zookeeper instance and we want one central location. + + Endpoint is UNAUTHENTICATED to allow metrics exfiltration without having to deal + with Prometheus compatibility (only basic auth support). Ensure this API endpoint + is only opened to trusted networks that cannot abuse the data provided! --- tags: - root @@ -793,7 +808,8 @@ class API_Metrics_Zookeeper(Resource): return response -api.add_resource(API_Metrics_Zookeeper, "/metrics/zookeeper") +if config["enable_prometheus"]: + api.add_resource(API_Metrics_Zookeeper, "/metrics/zookeeper") # /faults diff --git a/daemon-common/config.py b/daemon-common/config.py index 8ebde8e9..8222439d 100644 --- a/daemon-common/config.py +++ b/daemon-common/config.py @@ -176,6 +176,7 @@ def get_parsed_configuration(config_file): "enable_storage": o_subsystem.get("enable_storage", True), "enable_worker": o_subsystem.get("enable_worker", True), "enable_api": o_subsystem.get("enable_api", True), + "enable_prometheus": o_subsystem.get("enable_prometheus", True), } config = {**config, **config_subsystem} diff --git a/pvc.sample.conf b/pvc.sample.conf index e4fb3e7b..7ac9b84e 100644 --- a/pvc.sample.conf +++ b/pvc.sample.conf @@ -44,6 +44,9 @@ subsystem: # Enable or disable the API client, if installed, when node is Primary enable_api: yes + # Enable or disable the Prometheus metrics endpoints in the API; if disabled, these return 404 + enable_prometheus: yes + # Cluster configuration cluster: