Allow enable/disable of Prometheus endpoints

Since these are unauthenticated, it might be the case that an
administrator wishes to completely disable these metrics endpoints.
Provide that option via pvc.conf through pvc-ansible's existing
enable_prometheus_exporters option and the new enable_prometheus
configuration flag.

Defaults to "yes" to provide all functionality unless explicitly
disabled, as the author assumes that the PVC API is secured in other
ways as well and that metric information is not completely sensitive.
This commit is contained in:
Joshua Boniface 2023-12-29 09:23:35 -05:00
parent 52f68909f6
commit 4969e90f8a
3 changed files with 31 additions and 11 deletions

View File

@ -629,8 +629,9 @@ class API_Metrics(Resource):
Return the current PVC cluster status in Prometheus-compatible metrics format and Return the current PVC cluster status in Prometheus-compatible metrics format and
the Ceph cluster metrics as one document. the Ceph cluster metrics as one document.
Endpoint is unauthenticated to allow metrics exfiltration without having to deal Endpoint is UNAUTHENTICATED to allow metrics exfiltration without having to deal
with the Prometheus compatibility later. with Prometheus compatibility (only basic auth support). Ensure this API endpoint
is only opened to trusted networks that cannot abuse the data provided!
--- ---
tags: tags:
- root - root
@ -657,7 +658,8 @@ class API_Metrics(Resource):
return response return response
api.add_resource(API_Metrics, "/metrics") if config["enable_prometheus"]:
api.add_resource(API_Metrics, "/metrics")
# /metrics/health # /metrics/health
@ -666,8 +668,9 @@ class API_Metrics_Health(Resource):
""" """
Return the current PVC cluster health status in Prometheus-compatible metrics format Return the current PVC cluster health status in Prometheus-compatible metrics format
Endpoint is unauthenticated to allow metrics exfiltration without having to deal Endpoint is UNAUTHENTICATED to allow metrics exfiltration without having to deal
with the Prometheus compatibility later. with Prometheus compatibility (only basic auth support). Ensure this API endpoint
is only opened to trusted networks that cannot abuse the data provided!
--- ---
tags: tags:
- root - root
@ -691,7 +694,8 @@ class API_Metrics_Health(Resource):
return response return response
api.add_resource(API_Metrics_Health, "/metrics/health") if config["enable_prometheus"]:
api.add_resource(API_Metrics_Health, "/metrics/health")
# /metrics/resource # /metrics/resource
@ -700,8 +704,9 @@ class API_Metrics_Resource(Resource):
""" """
Return the current PVC cluster resource utilizations in Prometheus-compatible metrics format Return the current PVC cluster resource utilizations in Prometheus-compatible metrics format
Endpoint is unauthenticated to allow metrics exfiltration without having to deal Endpoint is UNAUTHENTICATED to allow metrics exfiltration without having to deal
with the Prometheus compatibility later. with Prometheus compatibility (only basic auth support). Ensure this API endpoint
is only opened to trusted networks that cannot abuse the data provided!
--- ---
tags: tags:
- root - root
@ -725,7 +730,8 @@ class API_Metrics_Resource(Resource):
return response return response
api.add_resource(API_Metrics_Resource, "/metrics/resource") if config["enable_prometheus"]:
api.add_resource(API_Metrics_Resource, "/metrics/resource")
# /metrics/ceph # /metrics/ceph
@ -736,6 +742,10 @@ class API_Metrics_Ceph(Resource):
Proxies a metrics request to the current active MGR, since this is dynamic Proxies a metrics request to the current active MGR, since this is dynamic
and can't be controlled by PVC easily. and can't be controlled by PVC easily.
Endpoint is UNAUTHENTICATED to allow metrics exfiltration without having to deal
with Prometheus compatibility (only basic auth support). Ensure this API endpoint
is only opened to trusted networks that cannot abuse the data provided!
--- ---
tags: tags:
- root - root
@ -759,7 +769,8 @@ class API_Metrics_Ceph(Resource):
return response return response
api.add_resource(API_Metrics_Ceph, "/metrics/ceph") if config["enable_prometheus"]:
api.add_resource(API_Metrics_Ceph, "/metrics/ceph")
# /metrics/zookeeper # /metrics/zookeeper
@ -770,6 +781,10 @@ class API_Metrics_Zookeeper(Resource):
Proxies a metrics request to the current primary node, since all coordinators Proxies a metrics request to the current primary node, since all coordinators
run an active Zookeeper instance and we want one central location. run an active Zookeeper instance and we want one central location.
Endpoint is UNAUTHENTICATED to allow metrics exfiltration without having to deal
with Prometheus compatibility (only basic auth support). Ensure this API endpoint
is only opened to trusted networks that cannot abuse the data provided!
--- ---
tags: tags:
- root - root
@ -793,7 +808,8 @@ class API_Metrics_Zookeeper(Resource):
return response return response
api.add_resource(API_Metrics_Zookeeper, "/metrics/zookeeper") if config["enable_prometheus"]:
api.add_resource(API_Metrics_Zookeeper, "/metrics/zookeeper")
# /faults # /faults

View File

@ -176,6 +176,7 @@ def get_parsed_configuration(config_file):
"enable_storage": o_subsystem.get("enable_storage", True), "enable_storage": o_subsystem.get("enable_storage", True),
"enable_worker": o_subsystem.get("enable_worker", True), "enable_worker": o_subsystem.get("enable_worker", True),
"enable_api": o_subsystem.get("enable_api", True), "enable_api": o_subsystem.get("enable_api", True),
"enable_prometheus": o_subsystem.get("enable_prometheus", True),
} }
config = {**config, **config_subsystem} config = {**config, **config_subsystem}

View File

@ -44,6 +44,9 @@ subsystem:
# Enable or disable the API client, if installed, when node is Primary # Enable or disable the API client, if installed, when node is Primary
enable_api: yes enable_api: yes
# Enable or disable the Prometheus metrics endpoints in the API; if disabled, these return 404
enable_prometheus: yes
# Cluster configuration # Cluster configuration
cluster: cluster: