You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ozone.apache.org by el...@apache.org on 2020/04/28 14:34:38 UTC

[hadoop-ozone] branch master updated: HDDS-3321. Prometheus endpoint should have an option to be configured with Token based authentication.

This is an automated email from the ASF dual-hosted git repository.

elek pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hadoop-ozone.git


The following commit(s) were added to refs/heads/master by this push:
     new 1293258  HDDS-3321. Prometheus endpoint should have an option to be configured with Token based authentication.
1293258 is described below

commit 129325829ebdbea5359db2081d2f9f3850d5bb1b
Author: Aravindan Vijayan <av...@cloudera.com>
AuthorDate: Tue Apr 28 16:29:06 2020 +0200

    HDDS-3321. Prometheus endpoint should have an option to be configured with Token based authentication.
    
    Closes #751
---
 .../hadoop/hdds/conf/HddsPrometheusConfig.java     | 44 ++++++++++++++++++++++
 .../hadoop/hdds/server/http/BaseHttpServer.java    | 20 +++++++++-
 .../hadoop/hdds/server/http/PrometheusServlet.java | 15 ++++++++
 3 files changed, 78 insertions(+), 1 deletion(-)

diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/conf/HddsPrometheusConfig.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/conf/HddsPrometheusConfig.java
new file mode 100644
index 0000000..a95ad67
--- /dev/null
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/conf/HddsPrometheusConfig.java
@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+package org.apache.hadoop.hdds.conf;
+
+/**
+ * The configuration class for the Prometheus endpoint.
+ */
+@ConfigGroup(prefix = "hdds.prometheus.")
+public class HddsPrometheusConfig {
+
+  @Config(key = "endpoint.token",
+      type = ConfigType.STRING,
+      defaultValue = "",
+      tags = { ConfigTag.SECURITY, ConfigTag.MANAGEMENT },
+      description = "Allowed authorization token while using prometheus " +
+          "servlet endpoint. This will disable SPNEGO based authentication on" +
+          " the endpoint."
+  )
+  private String prometheusEndpointToken;
+
+  public String getPrometheusEndpointToken() {
+    return prometheusEndpointToken;
+  }
+
+  public void setPrometheusEndpointToken(String prometheusEndpointToken) {
+    this.prometheusEndpointToken = prometheusEndpointToken;
+  }
+}
\ No newline at end of file
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/BaseHttpServer.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/BaseHttpServer.java
index 2f6df58..025a68c 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/BaseHttpServer.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/BaseHttpServer.java
@@ -29,6 +29,8 @@ import org.apache.hadoop.hdds.DFSConfigKeysLegacy;
 import org.apache.hadoop.hdds.HddsConfigKeys;
 import org.apache.hadoop.hdds.conf.ConfigurationSource;
 import org.apache.hadoop.hdds.conf.HddsConfServlet;
+import org.apache.hadoop.hdds.conf.HddsPrometheusConfig;
+import org.apache.hadoop.hdds.conf.OzoneConfiguration;
 import org.apache.hadoop.hdds.utils.LegacyHadoopConfigurationSource;
 import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
 import org.apache.hadoop.net.NetUtils;
@@ -120,7 +122,23 @@ public abstract class BaseHttpServer {
         prometheusMetricsSink = new PrometheusMetricsSink();
         httpServer.getWebAppContext().getServletContext()
             .setAttribute(PROMETHEUS_SINK, prometheusMetricsSink);
-        httpServer.addServlet("prometheus", "/prom", PrometheusServlet.class);
+        HddsPrometheusConfig prometheusConfig =
+            OzoneConfiguration.of(conf).getObject(HddsPrometheusConfig.class);
+        String token = prometheusConfig.getPrometheusEndpointToken();
+        if (StringUtils.isNotEmpty(token)) {
+          httpServer.getWebAppContext().getServletContext()
+              .setAttribute(PrometheusServlet.SECURITY_TOKEN, token);
+          // Adding as internal servlet since we want to have token based
+          // auth and hence SPNEGO should be disabled if security is enabled.
+          httpServer.addInternalServlet("prometheus", "/prom",
+              PrometheusServlet.class);
+        } else {
+          // If token is not configured, keeping as regular servlet and not
+          // internal servlet since we do not want to expose /prom endpoint
+          // without authentication in a secure cluster.
+          httpServer.addServlet("prometheus", "/prom",
+              PrometheusServlet.class);
+        }
       }
 
       if (profilerSupport) {
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/PrometheusServlet.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/PrometheusServlet.java
index 77c2136..0d01aa4 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/PrometheusServlet.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/PrometheusServlet.java
@@ -34,6 +34,9 @@ import io.prometheus.client.exporter.common.TextFormat;
  */
 public class PrometheusServlet extends HttpServlet {
 
+  public static final String SECURITY_TOKEN = "PROMETHEUS_SECURITY_TOKEN";
+  public static final String BEARER = "Bearer";
+
   public PrometheusMetricsSink getPrometheusSink() {
     return
         (PrometheusMetricsSink) getServletContext().getAttribute(
@@ -43,6 +46,18 @@ public class PrometheusServlet extends HttpServlet {
   @Override
   protected void doGet(HttpServletRequest req, HttpServletResponse resp)
       throws ServletException, IOException {
+    String securityToken =
+        (String) getServletContext().getAttribute(SECURITY_TOKEN);
+    if (securityToken != null) {
+      String authorizationHeader = req.getHeader("Authorization");
+      if (authorizationHeader == null
+          || !authorizationHeader.startsWith(BEARER)
+          || !securityToken.equals(
+              authorizationHeader.substring(BEARER.length() + 1))) {
+        resp.setStatus(HttpServletResponse.SC_FORBIDDEN);
+        return;
+      }
+    }
     DefaultMetricsSystem.instance().publishMetricsNow();
     PrintWriter writer = resp.getWriter();
     getPrometheusSink().writeMetrics(writer);


---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-commits-help@hadoop.apache.org