From d0d67f9de0fb3b6847215cbb0bc3f8290463796e Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Thu, 22 Apr 2021 18:55:30 -0700 Subject: [PATCH] feat: allow prometheus for only authorized users (#12121) allow restrictions on who can access Prometheus endpoint, additionally add prometheus as part of diagnostics canned policy. Signed-off-by: Harshavardhana --- cmd/metrics.go | 14 +++++++++++++- pkg/iam/policy/admin-action.go | 3 +++ pkg/iam/policy/constants.go | 4 +++- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/cmd/metrics.go b/cmd/metrics.go index 804f6b402..99c3d5352 100644 --- a/cmd/metrics.go +++ b/cmd/metrics.go @@ -23,6 +23,7 @@ import ( "time" "github.com/minio/minio/cmd/logger" + iampolicy "github.com/minio/minio/pkg/iam/policy" "github.com/minio/minio/pkg/madmin" "github.com/prometheus/client_golang/prometheus" "github.com/prometheus/client_golang/prometheus/promhttp" @@ -751,11 +752,22 @@ func metricsHandler() http.Handler { // AuthMiddleware checks if the bearer token is valid and authorized. func AuthMiddleware(h http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - claims, _, authErr := webRequestAuthenticate(r) + claims, owner, authErr := webRequestAuthenticate(r) if authErr != nil || !claims.VerifyIssuer("prometheus", true) { w.WriteHeader(http.StatusForbidden) return } + // For authenticated users apply IAM policy. + if !globalIAMSys.IsAllowed(iampolicy.Args{ + AccountName: claims.AccessKey, + Action: iampolicy.PrometheusAdminAction, + ConditionValues: getConditionValues(r, "", claims.AccessKey, claims.Map()), + IsOwner: owner, + Claims: claims.Map(), + }) { + w.WriteHeader(http.StatusForbidden) + return + } h.ServeHTTP(w, r) }) } diff --git a/pkg/iam/policy/admin-action.go b/pkg/iam/policy/admin-action.go index 8c5307f67..a3135ecfc 100644 --- a/pkg/iam/policy/admin-action.go +++ b/pkg/iam/policy/admin-action.go @@ -31,6 +31,8 @@ const ( // StorageInfoAdminAction - allow listing server info StorageInfoAdminAction = "admin:StorageInfo" + // PrometheusAdminAction - prometheus info action + PrometheusAdminAction = "admin:Prometheus" // DataUsageInfoAdminAction - allow listing data usage info DataUsageInfoAdminAction = "admin:DataUsageInfo" // ForceUnlockAdminAction - allow force unlocking locks @@ -141,6 +143,7 @@ var supportedAdminActions = map[AdminAction]struct{}{ DataUsageInfoAdminAction: {}, TopLocksAdminAction: {}, ProfilingAdminAction: {}, + PrometheusAdminAction: {}, TraceAdminAction: {}, ConsoleLogAdminAction: {}, KMSKeyStatusAdminAction: {}, diff --git a/pkg/iam/policy/constants.go b/pkg/iam/policy/constants.go index 9605ca35a..2c33eef4a 100644 --- a/pkg/iam/policy/constants.go +++ b/pkg/iam/policy/constants.go @@ -76,7 +76,9 @@ var AdminDiagnostics = Policy{ Actions: NewActionSet(ProfilingAdminAction, TraceAdminAction, ConsoleLogAdminAction, ServerInfoAdminAction, TopLocksAdminAction, - HealthInfoAdminAction, BandwidthMonitorAction), + HealthInfoAdminAction, BandwidthMonitorAction, + PrometheusAdminAction, + ), Resources: NewResourceSet(NewResource("*", "")), }, },