Allow enable/disable of Prometheus endpoints
Since these are unauthenticated, it might be the case that an administrator wishes to completely disable these metrics endpoints. Provide that option via pvc.conf through pvc-ansible's existing enable_prometheus_exporters option and the new enable_prometheus configuration flag. Defaults to "yes" to provide all functionality unless explicitly disabled, as the author assumes that the PVC API is secured in other ways as well and that metric information is not completely sensitive.
This commit is contained in:
parent
52f68909f6
commit
4969e90f8a
|
@ -629,8 +629,9 @@ class API_Metrics(Resource):
|
||||||
Return the current PVC cluster status in Prometheus-compatible metrics format and
|
Return the current PVC cluster status in Prometheus-compatible metrics format and
|
||||||
the Ceph cluster metrics as one document.
|
the Ceph cluster metrics as one document.
|
||||||
|
|
||||||
Endpoint is unauthenticated to allow metrics exfiltration without having to deal
|
Endpoint is UNAUTHENTICATED to allow metrics exfiltration without having to deal
|
||||||
with the Prometheus compatibility later.
|
with Prometheus compatibility (only basic auth support). Ensure this API endpoint
|
||||||
|
is only opened to trusted networks that cannot abuse the data provided!
|
||||||
---
|
---
|
||||||
tags:
|
tags:
|
||||||
- root
|
- root
|
||||||
|
@ -657,7 +658,8 @@ class API_Metrics(Resource):
|
||||||
return response
|
return response
|
||||||
|
|
||||||
|
|
||||||
api.add_resource(API_Metrics, "/metrics")
|
if config["enable_prometheus"]:
|
||||||
|
api.add_resource(API_Metrics, "/metrics")
|
||||||
|
|
||||||
|
|
||||||
# /metrics/health
|
# /metrics/health
|
||||||
|
@ -666,8 +668,9 @@ class API_Metrics_Health(Resource):
|
||||||
"""
|
"""
|
||||||
Return the current PVC cluster health status in Prometheus-compatible metrics format
|
Return the current PVC cluster health status in Prometheus-compatible metrics format
|
||||||
|
|
||||||
Endpoint is unauthenticated to allow metrics exfiltration without having to deal
|
Endpoint is UNAUTHENTICATED to allow metrics exfiltration without having to deal
|
||||||
with the Prometheus compatibility later.
|
with Prometheus compatibility (only basic auth support). Ensure this API endpoint
|
||||||
|
is only opened to trusted networks that cannot abuse the data provided!
|
||||||
---
|
---
|
||||||
tags:
|
tags:
|
||||||
- root
|
- root
|
||||||
|
@ -691,7 +694,8 @@ class API_Metrics_Health(Resource):
|
||||||
return response
|
return response
|
||||||
|
|
||||||
|
|
||||||
api.add_resource(API_Metrics_Health, "/metrics/health")
|
if config["enable_prometheus"]:
|
||||||
|
api.add_resource(API_Metrics_Health, "/metrics/health")
|
||||||
|
|
||||||
|
|
||||||
# /metrics/resource
|
# /metrics/resource
|
||||||
|
@ -700,8 +704,9 @@ class API_Metrics_Resource(Resource):
|
||||||
"""
|
"""
|
||||||
Return the current PVC cluster resource utilizations in Prometheus-compatible metrics format
|
Return the current PVC cluster resource utilizations in Prometheus-compatible metrics format
|
||||||
|
|
||||||
Endpoint is unauthenticated to allow metrics exfiltration without having to deal
|
Endpoint is UNAUTHENTICATED to allow metrics exfiltration without having to deal
|
||||||
with the Prometheus compatibility later.
|
with Prometheus compatibility (only basic auth support). Ensure this API endpoint
|
||||||
|
is only opened to trusted networks that cannot abuse the data provided!
|
||||||
---
|
---
|
||||||
tags:
|
tags:
|
||||||
- root
|
- root
|
||||||
|
@ -725,7 +730,8 @@ class API_Metrics_Resource(Resource):
|
||||||
return response
|
return response
|
||||||
|
|
||||||
|
|
||||||
api.add_resource(API_Metrics_Resource, "/metrics/resource")
|
if config["enable_prometheus"]:
|
||||||
|
api.add_resource(API_Metrics_Resource, "/metrics/resource")
|
||||||
|
|
||||||
|
|
||||||
# /metrics/ceph
|
# /metrics/ceph
|
||||||
|
@ -736,6 +742,10 @@ class API_Metrics_Ceph(Resource):
|
||||||
|
|
||||||
Proxies a metrics request to the current active MGR, since this is dynamic
|
Proxies a metrics request to the current active MGR, since this is dynamic
|
||||||
and can't be controlled by PVC easily.
|
and can't be controlled by PVC easily.
|
||||||
|
|
||||||
|
Endpoint is UNAUTHENTICATED to allow metrics exfiltration without having to deal
|
||||||
|
with Prometheus compatibility (only basic auth support). Ensure this API endpoint
|
||||||
|
is only opened to trusted networks that cannot abuse the data provided!
|
||||||
---
|
---
|
||||||
tags:
|
tags:
|
||||||
- root
|
- root
|
||||||
|
@ -759,7 +769,8 @@ class API_Metrics_Ceph(Resource):
|
||||||
return response
|
return response
|
||||||
|
|
||||||
|
|
||||||
api.add_resource(API_Metrics_Ceph, "/metrics/ceph")
|
if config["enable_prometheus"]:
|
||||||
|
api.add_resource(API_Metrics_Ceph, "/metrics/ceph")
|
||||||
|
|
||||||
|
|
||||||
# /metrics/zookeeper
|
# /metrics/zookeeper
|
||||||
|
@ -770,6 +781,10 @@ class API_Metrics_Zookeeper(Resource):
|
||||||
|
|
||||||
Proxies a metrics request to the current primary node, since all coordinators
|
Proxies a metrics request to the current primary node, since all coordinators
|
||||||
run an active Zookeeper instance and we want one central location.
|
run an active Zookeeper instance and we want one central location.
|
||||||
|
|
||||||
|
Endpoint is UNAUTHENTICATED to allow metrics exfiltration without having to deal
|
||||||
|
with Prometheus compatibility (only basic auth support). Ensure this API endpoint
|
||||||
|
is only opened to trusted networks that cannot abuse the data provided!
|
||||||
---
|
---
|
||||||
tags:
|
tags:
|
||||||
- root
|
- root
|
||||||
|
@ -793,7 +808,8 @@ class API_Metrics_Zookeeper(Resource):
|
||||||
return response
|
return response
|
||||||
|
|
||||||
|
|
||||||
api.add_resource(API_Metrics_Zookeeper, "/metrics/zookeeper")
|
if config["enable_prometheus"]:
|
||||||
|
api.add_resource(API_Metrics_Zookeeper, "/metrics/zookeeper")
|
||||||
|
|
||||||
|
|
||||||
# /faults
|
# /faults
|
||||||
|
|
|
@ -176,6 +176,7 @@ def get_parsed_configuration(config_file):
|
||||||
"enable_storage": o_subsystem.get("enable_storage", True),
|
"enable_storage": o_subsystem.get("enable_storage", True),
|
||||||
"enable_worker": o_subsystem.get("enable_worker", True),
|
"enable_worker": o_subsystem.get("enable_worker", True),
|
||||||
"enable_api": o_subsystem.get("enable_api", True),
|
"enable_api": o_subsystem.get("enable_api", True),
|
||||||
|
"enable_prometheus": o_subsystem.get("enable_prometheus", True),
|
||||||
}
|
}
|
||||||
config = {**config, **config_subsystem}
|
config = {**config, **config_subsystem}
|
||||||
|
|
||||||
|
|
|
@ -44,6 +44,9 @@ subsystem:
|
||||||
# Enable or disable the API client, if installed, when node is Primary
|
# Enable or disable the API client, if installed, when node is Primary
|
||||||
enable_api: yes
|
enable_api: yes
|
||||||
|
|
||||||
|
# Enable or disable the Prometheus metrics endpoints in the API; if disabled, these return 404
|
||||||
|
enable_prometheus: yes
|
||||||
|
|
||||||
# Cluster configuration
|
# Cluster configuration
|
||||||
cluster:
|
cluster:
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue