MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-01-26 22:23:15 -05:00
Code Issues Packages Projects Releases Wiki Activity

feat: allow prometheus for only authorized users (#12121)

Browse Source 
allow restrictions on who can access Prometheus
endpoint, additionally add prometheus as part of
diagnostics canned policy.

Signed-off-by: Harshavardhana <harsha@minio.io>
This commit is contained in:
Harshavardhana 2021-04-22 18:55:30 -07:00 committed by GitHub
parent 4438124948
commit d0d67f9de0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 19 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
cmd/metrics.go
View File

@ -23,6 +23,7 @@ import (
"time" "time"
"github.com/minio/minio/cmd/logger" "github.com/minio/minio/cmd/logger"
iampolicy "github.com/minio/minio/pkg/iam/policy"
"github.com/minio/minio/pkg/madmin" "github.com/minio/minio/pkg/madmin"
"github.com/prometheus/client_golang/prometheus" "github.com/prometheus/client_golang/prometheus"
"github.com/prometheus/client_golang/prometheus/promhttp" "github.com/prometheus/client_golang/prometheus/promhttp"
@ -751,11 +752,22 @@ func metricsHandler() http.Handler {
// AuthMiddleware checks if the bearer token is valid and authorized. // AuthMiddleware checks if the bearer token is valid and authorized.
func AuthMiddleware(h http.Handler) http.Handler { func AuthMiddleware(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
claims, _, authErr := webRequestAuthenticate(r) claims, owner, authErr := webRequestAuthenticate(r)
if authErr != nil || !claims.VerifyIssuer("prometheus", true) { if authErr != nil || !claims.VerifyIssuer("prometheus", true) {
w.WriteHeader(http.StatusForbidden) w.WriteHeader(http.StatusForbidden)
return return
} }
// For authenticated users apply IAM policy.
if !globalIAMSys.IsAllowed(iampolicy.Args{
AccountName: claims.AccessKey,
Action: iampolicy.PrometheusAdminAction,
ConditionValues: getConditionValues(r, "", claims.AccessKey, claims.Map()),
IsOwner: owner,
Claims: claims.Map(),
}) {
w.WriteHeader(http.StatusForbidden)
return
}
h.ServeHTTP(w, r) h.ServeHTTP(w, r)
}) })
} }

3
pkg/iam/policy/admin-action.go
View File

@ -31,6 +31,8 @@ const (
// StorageInfoAdminAction - allow listing server info // StorageInfoAdminAction - allow listing server info
StorageInfoAdminAction = "admin:StorageInfo" StorageInfoAdminAction = "admin:StorageInfo"
// PrometheusAdminAction - prometheus info action
PrometheusAdminAction = "admin:Prometheus"
// DataUsageInfoAdminAction - allow listing data usage info // DataUsageInfoAdminAction - allow listing data usage info
DataUsageInfoAdminAction = "admin:DataUsageInfo" DataUsageInfoAdminAction = "admin:DataUsageInfo"
// ForceUnlockAdminAction - allow force unlocking locks // ForceUnlockAdminAction - allow force unlocking locks
@ -141,6 +143,7 @@ var supportedAdminActions = map[AdminAction]struct{}{
DataUsageInfoAdminAction: {}, DataUsageInfoAdminAction: {},
TopLocksAdminAction: {}, TopLocksAdminAction: {},
ProfilingAdminAction: {}, ProfilingAdminAction: {},
PrometheusAdminAction: {},
TraceAdminAction: {}, TraceAdminAction: {},
ConsoleLogAdminAction: {}, ConsoleLogAdminAction: {},
KMSKeyStatusAdminAction: {}, KMSKeyStatusAdminAction: {},

4
pkg/iam/policy/constants.go
View File

@ -76,7 +76,9 @@ var AdminDiagnostics = Policy{
Actions: NewActionSet(ProfilingAdminAction, Actions: NewActionSet(ProfilingAdminAction,
TraceAdminAction, ConsoleLogAdminAction, TraceAdminAction, ConsoleLogAdminAction,
ServerInfoAdminAction, TopLocksAdminAction, ServerInfoAdminAction, TopLocksAdminAction,
HealthInfoAdminAction, BandwidthMonitorAction), HealthInfoAdminAction, BandwidthMonitorAction,
PrometheusAdminAction,
),
Resources: NewResourceSet(NewResource("*", "")), Resources: NewResourceSet(NewResource("*", "")),
}, },
}, },