From ad75683bde2ea865f8646d3b79a50f35fa2e4775 Mon Sep 17 00:00:00 2001 From: Praveen raj Mani Date: Sun, 22 Sep 2019 20:27:12 +0530 Subject: [PATCH] Authorize prometheus endpoint with bearer token (#7640) --- cmd/generic-handlers.go | 2 +- cmd/metrics-router.go | 2 +- cmd/metrics.go | 14 ++++++++++++ docs/metrics/README.md | 8 +++---- mint/run/core/healthcheck/healthcheck.go | 29 ------------------------ 5 files changed, 20 insertions(+), 35 deletions(-) diff --git a/cmd/generic-handlers.go b/cmd/generic-handlers.go index 1f8dccaf7..fbb10a654 100644 --- a/cmd/generic-handlers.go +++ b/cmd/generic-handlers.go @@ -221,7 +221,7 @@ func guessIsMetricsReq(req *http.Request) bool { return false } aType := getRequestAuthType(req) - return aType == authTypeAnonymous && + return (aType == authTypeAnonymous || aType == authTypeJWT) && req.URL.Path == minioReservedBucketPath+prometheusMetricsPath } diff --git a/cmd/metrics-router.go b/cmd/metrics-router.go index a96f69872..53ae42bea 100644 --- a/cmd/metrics-router.go +++ b/cmd/metrics-router.go @@ -28,5 +28,5 @@ const ( func registerMetricsRouter(router *mux.Router) { // metrics router metricsRouter := router.NewRoute().PathPrefix(minioReservedBucketPath).Subrouter() - metricsRouter.Handle(prometheusMetricsPath, metricsHandler()) + metricsRouter.Handle(prometheusMetricsPath, AuthMiddleware(metricsHandler())) } diff --git a/cmd/metrics.go b/cmd/metrics.go index 802800d16..7828529ca 100644 --- a/cmd/metrics.go +++ b/cmd/metrics.go @@ -199,6 +199,7 @@ func (c *minioCollector) Collect(ch chan<- prometheus.Metric) { } func metricsHandler() http.Handler { + registry := prometheus.NewRegistry() err := registry.Register(minioVersionInfo) @@ -222,4 +223,17 @@ func metricsHandler() http.Handler { ErrorHandling: promhttp.ContinueOnError, }), ) + +} + +// AuthMiddleware checks if the bearer token is valid and authorized. +func AuthMiddleware(h http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + claims, _, authErr := webRequestAuthenticate(r) + if authErr != nil || !claims.VerifyIssuer("prometheus", true) { + w.WriteHeader(http.StatusForbidden) + return + } + h.ServeHTTP(w, r) + }) } diff --git a/docs/metrics/README.md b/docs/metrics/README.md index c12d3a2cb..c3438e5a7 100644 --- a/docs/metrics/README.md +++ b/docs/metrics/README.md @@ -1,10 +1,10 @@ ## MinIO Monitoring Guide -MinIO server exposes monitoring data over un-authenticated endpoints so monitoring tools can pick the data without you having to share MinIO server credentials. This document lists the monitoring endpoints and relevant documentation. +MinIO server exposes monitoring data over endpoints. Monitoring tools can pick the data from these endpoints. This document lists the monitoring endpoints and relevant documentation. ### Healthcheck Probe -MinIO server has two healthcheck related endpoints, a liveness probe to indicate if server is working fine and a readiness probe to indicate if server is not accepting connections due to heavy load. +MinIO server has two healthcheck related un-authenticated endpoints, a liveness probe to indicate if server is working fine and a readiness probe to indicate if server is not accepting connections due to heavy load. - Liveness probe available at `/minio/health/live` - Readiness probe available at `/minio/health/ready` @@ -13,8 +13,8 @@ Read more on how to use these endpoints in [MinIO healthcheck guide](https://git ### Prometheus Probe -MinIO server exposes Prometheus compatible data on a single endpoint. +MinIO server exposes Prometheus compatible data on a single endpoint. By default, the endpoint is authenticated. - Prometheus data available at `/minio/prometheus/metrics` -To use this endpoint, setup Prometheus to scrape data from this endpoint. Read more on how to use Prometheues to monitor MinIO server in [How to monitor MinIO server with Prometheus](https://github.com/minio/cookbook/blob/master/docs/how-to-monitor-minio-with-prometheus.md). +To use this endpoint, setup Prometheus to scrape data from this endpoint. Read more on how to configure and use Prometheus to monitor MinIO server in [How to monitor MinIO server with Prometheus](https://github.com/minio/cookbook/blob/master/docs/how-to-monitor-minio-with-prometheus.md). diff --git a/mint/run/core/healthcheck/healthcheck.go b/mint/run/core/healthcheck/healthcheck.go index 9b25eb15d..c66977691 100644 --- a/mint/run/core/healthcheck/healthcheck.go +++ b/mint/run/core/healthcheck/healthcheck.go @@ -144,34 +144,6 @@ func testReadinessEndpoint(endpoint string) { defer successLogger(function, nil, startTime).Info() } -func testPrometheusEndpoint(endpoint string) { - startTime := time.Now() - function := "testPrometheusEndpoint" - - u, err := url.Parse(fmt.Sprintf("%s%s", endpoint, prometheusPath)) - if err != nil { - // Could not parse URL successfully - failureLog(function, nil, startTime, "", "URL Parsing for Healthcheck Prometheus handler failed", err).Fatal() - } - - tr := &http.Transport{ - TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, - } - client := &http.Client{Transport: tr, Timeout: timeout} - resp, err := client.Get(u.String()) - if err != nil { - // GET request errored - failureLog(function, nil, startTime, "", "GET request to Prometheus endpoint failed", err).Fatal() - } - if resp.StatusCode != http.StatusOK { - // Status not 200 OK - failureLog(function, nil, startTime, "", "GET /minio/prometheus/metrics returned non OK status", err).Fatal() - } - - defer resp.Body.Close() - defer successLogger(function, nil, startTime).Info() -} - func main() { endpoint := os.Getenv("SERVER_ENDPOINT") secure := os.Getenv("ENABLE_HTTPS") @@ -191,5 +163,4 @@ func main() { // execute tests testLivenessEndpoint(endpoint) testReadinessEndpoint(endpoint) - testPrometheusEndpoint(endpoint) }