This is an automated email from the ASF dual-hosted git repository. elek pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/hadoop-ozone.git
The following commit(s) were added to refs/heads/master by this push: new 1293258 HDDS-3321. Prometheus endpoint should have an option to be configured with Token based authentication. 1293258 is described below commit 129325829ebdbea5359db2081d2f9f3850d5bb1b Author: Aravindan Vijayan <avija...@cloudera.com> AuthorDate: Tue Apr 28 16:29:06 2020 +0200 HDDS-3321. Prometheus endpoint should have an option to be configured with Token based authentication. Closes #751 --- .../hadoop/hdds/conf/HddsPrometheusConfig.java | 44 ++++++++++++++++++++++ .../hadoop/hdds/server/http/BaseHttpServer.java | 20 +++++++++- .../hadoop/hdds/server/http/PrometheusServlet.java | 15 ++++++++ 3 files changed, 78 insertions(+), 1 deletion(-) diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/conf/HddsPrometheusConfig.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/conf/HddsPrometheusConfig.java new file mode 100644 index 0000000..a95ad67 --- /dev/null +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/conf/HddsPrometheusConfig.java @@ -0,0 +1,44 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hdds.conf; + +/** + * The configuration class for the Prometheus endpoint. + */ +@ConfigGroup(prefix = "hdds.prometheus.") +public class HddsPrometheusConfig { + + @Config(key = "endpoint.token", + type = ConfigType.STRING, + defaultValue = "", + tags = { ConfigTag.SECURITY, ConfigTag.MANAGEMENT }, + description = "Allowed authorization token while using prometheus " + + "servlet endpoint. This will disable SPNEGO based authentication on" + + " the endpoint." + ) + private String prometheusEndpointToken; + + public String getPrometheusEndpointToken() { + return prometheusEndpointToken; + } + + public void setPrometheusEndpointToken(String prometheusEndpointToken) { + this.prometheusEndpointToken = prometheusEndpointToken; + } +} \ No newline at end of file diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/BaseHttpServer.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/BaseHttpServer.java index 2f6df58..025a68c 100644 --- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/BaseHttpServer.java +++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/BaseHttpServer.java @@ -29,6 +29,8 @@ import org.apache.hadoop.hdds.DFSConfigKeysLegacy; import org.apache.hadoop.hdds.HddsConfigKeys; import org.apache.hadoop.hdds.conf.ConfigurationSource; import org.apache.hadoop.hdds.conf.HddsConfServlet; +import org.apache.hadoop.hdds.conf.HddsPrometheusConfig; +import org.apache.hadoop.hdds.conf.OzoneConfiguration; import org.apache.hadoop.hdds.utils.LegacyHadoopConfigurationSource; import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem; import org.apache.hadoop.net.NetUtils; @@ -120,7 +122,23 @@ public abstract class BaseHttpServer { prometheusMetricsSink = new PrometheusMetricsSink(); httpServer.getWebAppContext().getServletContext() .setAttribute(PROMETHEUS_SINK, prometheusMetricsSink); - httpServer.addServlet("prometheus", "/prom", PrometheusServlet.class); + HddsPrometheusConfig prometheusConfig = + OzoneConfiguration.of(conf).getObject(HddsPrometheusConfig.class); + String token = prometheusConfig.getPrometheusEndpointToken(); + if (StringUtils.isNotEmpty(token)) { + httpServer.getWebAppContext().getServletContext() + .setAttribute(PrometheusServlet.SECURITY_TOKEN, token); + // Adding as internal servlet since we want to have token based + // auth and hence SPNEGO should be disabled if security is enabled. + httpServer.addInternalServlet("prometheus", "/prom", + PrometheusServlet.class); + } else { + // If token is not configured, keeping as regular servlet and not + // internal servlet since we do not want to expose /prom endpoint + // without authentication in a secure cluster. + httpServer.addServlet("prometheus", "/prom", + PrometheusServlet.class); + } } if (profilerSupport) { diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/PrometheusServlet.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/PrometheusServlet.java index 77c2136..0d01aa4 100644 --- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/PrometheusServlet.java +++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/PrometheusServlet.java @@ -34,6 +34,9 @@ import io.prometheus.client.exporter.common.TextFormat; */ public class PrometheusServlet extends HttpServlet { + public static final String SECURITY_TOKEN = "PROMETHEUS_SECURITY_TOKEN"; + public static final String BEARER = "Bearer"; + public PrometheusMetricsSink getPrometheusSink() { return (PrometheusMetricsSink) getServletContext().getAttribute( @@ -43,6 +46,18 @@ public class PrometheusServlet extends HttpServlet { @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { + String securityToken = + (String) getServletContext().getAttribute(SECURITY_TOKEN); + if (securityToken != null) { + String authorizationHeader = req.getHeader("Authorization"); + if (authorizationHeader == null + || !authorizationHeader.startsWith(BEARER) + || !securityToken.equals( + authorizationHeader.substring(BEARER.length() + 1))) { + resp.setStatus(HttpServletResponse.SC_FORBIDDEN); + return; + } + } DefaultMetricsSystem.instance().publishMetricsNow(); PrintWriter writer = resp.getWriter(); getPrometheusSink().writeMetrics(writer); --------------------------------------------------------------------- To unsubscribe, e-mail: ozone-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: ozone-commits-h...@hadoop.apache.org