You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ozone.apache.org by el...@apache.org on 2020/04/28 14:34:38 UTC
[hadoop-ozone] branch master updated: HDDS-3321. Prometheus
endpoint should have an option to be configured with Token based
authentication.
This is an automated email from the ASF dual-hosted git repository.
elek pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hadoop-ozone.git
The following commit(s) were added to refs/heads/master by this push:
new 1293258 HDDS-3321. Prometheus endpoint should have an option to be configured with Token based authentication.
1293258 is described below
commit 129325829ebdbea5359db2081d2f9f3850d5bb1b
Author: Aravindan Vijayan <av...@cloudera.com>
AuthorDate: Tue Apr 28 16:29:06 2020 +0200
HDDS-3321. Prometheus endpoint should have an option to be configured with Token based authentication.
Closes #751
---
.../hadoop/hdds/conf/HddsPrometheusConfig.java | 44 ++++++++++++++++++++++
.../hadoop/hdds/server/http/BaseHttpServer.java | 20 +++++++++-
.../hadoop/hdds/server/http/PrometheusServlet.java | 15 ++++++++
3 files changed, 78 insertions(+), 1 deletion(-)
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/conf/HddsPrometheusConfig.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/conf/HddsPrometheusConfig.java
new file mode 100644
index 0000000..a95ad67
--- /dev/null
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/conf/HddsPrometheusConfig.java
@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hdds.conf;
+
+/**
+ * The configuration class for the Prometheus endpoint.
+ */
+@ConfigGroup(prefix = "hdds.prometheus.")
+public class HddsPrometheusConfig {
+
+ @Config(key = "endpoint.token",
+ type = ConfigType.STRING,
+ defaultValue = "",
+ tags = { ConfigTag.SECURITY, ConfigTag.MANAGEMENT },
+ description = "Allowed authorization token while using prometheus " +
+ "servlet endpoint. This will disable SPNEGO based authentication on" +
+ " the endpoint."
+ )
+ private String prometheusEndpointToken;
+
+ public String getPrometheusEndpointToken() {
+ return prometheusEndpointToken;
+ }
+
+ public void setPrometheusEndpointToken(String prometheusEndpointToken) {
+ this.prometheusEndpointToken = prometheusEndpointToken;
+ }
+}
\ No newline at end of file
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/BaseHttpServer.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/BaseHttpServer.java
index 2f6df58..025a68c 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/BaseHttpServer.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/BaseHttpServer.java
@@ -29,6 +29,8 @@ import org.apache.hadoop.hdds.DFSConfigKeysLegacy;
import org.apache.hadoop.hdds.HddsConfigKeys;
import org.apache.hadoop.hdds.conf.ConfigurationSource;
import org.apache.hadoop.hdds.conf.HddsConfServlet;
+import org.apache.hadoop.hdds.conf.HddsPrometheusConfig;
+import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.utils.LegacyHadoopConfigurationSource;
import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
import org.apache.hadoop.net.NetUtils;
@@ -120,7 +122,23 @@ public abstract class BaseHttpServer {
prometheusMetricsSink = new PrometheusMetricsSink();
httpServer.getWebAppContext().getServletContext()
.setAttribute(PROMETHEUS_SINK, prometheusMetricsSink);
- httpServer.addServlet("prometheus", "/prom", PrometheusServlet.class);
+ HddsPrometheusConfig prometheusConfig =
+ OzoneConfiguration.of(conf).getObject(HddsPrometheusConfig.class);
+ String token = prometheusConfig.getPrometheusEndpointToken();
+ if (StringUtils.isNotEmpty(token)) {
+ httpServer.getWebAppContext().getServletContext()
+ .setAttribute(PrometheusServlet.SECURITY_TOKEN, token);
+ // Adding as internal servlet since we want to have token based
+ // auth and hence SPNEGO should be disabled if security is enabled.
+ httpServer.addInternalServlet("prometheus", "/prom",
+ PrometheusServlet.class);
+ } else {
+ // If token is not configured, keeping as regular servlet and not
+ // internal servlet since we do not want to expose /prom endpoint
+ // without authentication in a secure cluster.
+ httpServer.addServlet("prometheus", "/prom",
+ PrometheusServlet.class);
+ }
}
if (profilerSupport) {
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/PrometheusServlet.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/PrometheusServlet.java
index 77c2136..0d01aa4 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/PrometheusServlet.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/PrometheusServlet.java
@@ -34,6 +34,9 @@ import io.prometheus.client.exporter.common.TextFormat;
*/
public class PrometheusServlet extends HttpServlet {
+ public static final String SECURITY_TOKEN = "PROMETHEUS_SECURITY_TOKEN";
+ public static final String BEARER = "Bearer";
+
public PrometheusMetricsSink getPrometheusSink() {
return
(PrometheusMetricsSink) getServletContext().getAttribute(
@@ -43,6 +46,18 @@ public class PrometheusServlet extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
+ String securityToken =
+ (String) getServletContext().getAttribute(SECURITY_TOKEN);
+ if (securityToken != null) {
+ String authorizationHeader = req.getHeader("Authorization");
+ if (authorizationHeader == null
+ || !authorizationHeader.startsWith(BEARER)
+ || !securityToken.equals(
+ authorizationHeader.substring(BEARER.length() + 1))) {
+ resp.setStatus(HttpServletResponse.SC_FORBIDDEN);
+ return;
+ }
+ }
DefaultMetricsSystem.instance().publishMetricsNow();
PrintWriter writer = resp.getWriter();
getPrometheusSink().writeMetrics(writer);
---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-commits-help@hadoop.apache.org