From 61dce6f2a1114284ede2b4c3c1943fea809d7b10 Mon Sep 17 00:00:00 2001 From: Hui Wang Date: Mon, 10 Jun 2024 18:09:47 +0800 Subject: [PATCH] =?UTF-8?q?lib/httpserver:=20allow=20reloadAuthKey=20and?= =?UTF-8?q?=20configAuthKey=20to=20override=20htt=E2=80=A6=20(#6338)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit …pAuth.* address https://github.com/VictoriaMetrics/VictoriaMetrics/issues/6329, makes `reloadAuthKey`, `configAuthKey`, `flagsAuthKey`, `pprofAuthKey` behavior the same way, but keys like `-snapshotAuthKey`, `-forceMergeAuthKey` are still protected by httpAuth.*. All the available key are listed in https://docs.victoriametrics.com/single-server-victoriametrics/#security. --------- Signed-off-by: hagen1778 Co-authored-by: hagen1778 --- README.md | 4 ++-- app/vmagent/main.go | 4 ++-- app/vmalert/web.go | 2 +- app/vmauth/main.go | 2 +- app/vminsert/main.go | 4 ++-- docs/CHANGELOG.md | 1 + docs/README.md | 4 ++-- docs/Single-server-VictoriaMetrics.md | 4 ++-- docs/vmagent.md | 4 ++-- docs/vmalert.md | 2 +- docs/vmauth.md | 2 +- lib/httpserver/httpserver.go | 12 ++++++++++++ 12 files changed, 29 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 17e55b9a9..1cb330ddd 100644 --- a/README.md +++ b/README.md @@ -2762,7 +2762,7 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li -cacheExpireDuration duration Items are removed from in-memory caches after they aren't accessed for this duration. Lower values may reduce memory usage at the cost of higher CPU usage. See also -prevCacheRemovalPercent (default 30m0s) -configAuthKey value - Authorization key for accessing /config page. It must be passed via authKey query arg + Authorization key for accessing /config page. It must be passed via authKey query arg. It overrides httpAuth.* settings. Flag value can be read from the given file when using -configAuthKey=file:///abs/path/to/file or -configAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -configAuthKey=http://host/path or -configAuthKey=https://host/path -csvTrimTimestamp duration Trim timestamps when importing csv data to this duration. Minimum practical duration is 1ms. Higher duration (i.e. 1s) may be used for reducing disk space usage for timestamp data (default 1ms) @@ -3076,7 +3076,7 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li -relabelConfig string Optional path to a file with relabeling rules, which are applied to all the ingested metrics. The path can point either to local file or to http url. See https://docs.victoriametrics.com/#relabeling for details. The config is reloaded on SIGHUP signal -reloadAuthKey value - Auth key for /-/reload http endpoint. It must be passed as authKey=... + Auth key for /-/reload http endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings. Flag value can be read from the given file when using -reloadAuthKey=file:///abs/path/to/file or -reloadAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -reloadAuthKey=http://host/path or -reloadAuthKey=https://host/path -retentionFilter array Retention filter in the format 'filter:retention'. For example, '{env="dev"}:3d' configures the retention for time series with env="dev" label to 3 days. See https://docs.victoriametrics.com/#retention-filters for details. This flag is available only in VictoriaMetrics enterprise. See https://docs.victoriametrics.com/enterprise/ diff --git a/app/vmagent/main.go b/app/vmagent/main.go index 4429f2458..c1c53ea7a 100644 --- a/app/vmagent/main.go +++ b/app/vmagent/main.go @@ -78,8 +78,8 @@ var ( "See also -opentsdbHTTPListenAddr.useProxyProtocol") opentsdbHTTPUseProxyProtocol = flag.Bool("opentsdbHTTPListenAddr.useProxyProtocol", false, "Whether to use proxy protocol for connections accepted "+ "at -opentsdbHTTPListenAddr . See https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt") - configAuthKey = flagutil.NewPassword("configAuthKey", "Authorization key for accessing /config page. It must be passed via authKey query arg") - reloadAuthKey = flagutil.NewPassword("reloadAuthKey", "Auth key for /-/reload http endpoint. It must be passed as authKey=...") + configAuthKey = flagutil.NewPassword("configAuthKey", "Authorization key for accessing /config page. It must be passed via authKey query arg. It overrides httpAuth.* settings.") + reloadAuthKey = flagutil.NewPassword("reloadAuthKey", "Auth key for /-/reload http endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings.") dryRun = flag.Bool("dryRun", false, "Whether to check config files without running vmagent. The following files are checked: "+ "-promscrape.config, -remoteWrite.relabelConfig, -remoteWrite.urlRelabelConfig, -remoteWrite.streamAggr.config . "+ "Unknown config entries aren't allowed in -promscrape.config by default. This can be changed by passing -promscrape.config.strictParse=false command-line flag") diff --git a/app/vmalert/web.go b/app/vmalert/web.go index 0dc8ac8b8..43d2562cc 100644 --- a/app/vmalert/web.go +++ b/app/vmalert/web.go @@ -19,7 +19,7 @@ import ( "github.com/VictoriaMetrics/VictoriaMetrics/lib/procutil" ) -var reloadAuthKey = flagutil.NewPassword("reloadAuthKey", "Auth key for /-/reload http endpoint. It must be passed as authKey=...") +var reloadAuthKey = flagutil.NewPassword("reloadAuthKey", "Auth key for /-/reload http endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings.") var ( apiLinks = [][2]string{ diff --git a/app/vmauth/main.go b/app/vmauth/main.go index 92d906689..87659350d 100644 --- a/app/vmauth/main.go +++ b/app/vmauth/main.go @@ -43,7 +43,7 @@ var ( maxConcurrentPerUserRequests = flag.Int("maxConcurrentPerUserRequests", 300, "The maximum number of concurrent requests vmauth can process per each configured user. "+ "Other requests are rejected with '429 Too Many Requests' http status code. See also -maxConcurrentRequests command-line option and max_concurrent_requests option "+ "in per-user config") - reloadAuthKey = flagutil.NewPassword("reloadAuthKey", "Auth key for /-/reload http endpoint. It must be passed as authKey=...") + reloadAuthKey = flagutil.NewPassword("reloadAuthKey", "Auth key for /-/reload http endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings.") logInvalidAuthTokens = flag.Bool("logInvalidAuthTokens", false, "Whether to log requests with invalid auth tokens. "+ `Such requests are always counted at vmauth_http_request_errors_total{reason="invalid_auth_token"} metric, which is exposed at /metrics page`) failTimeout = flag.Duration("failTimeout", 3*time.Second, "Sets a delay period for load balancing to skip a malfunctioning backend") diff --git a/app/vminsert/main.go b/app/vminsert/main.go index 181d00b83..487d4aacd 100644 --- a/app/vminsert/main.go +++ b/app/vminsert/main.go @@ -73,8 +73,8 @@ var ( "See also -opentsdbHTTPListenAddr.useProxyProtocol") opentsdbHTTPUseProxyProtocol = flag.Bool("opentsdbHTTPListenAddr.useProxyProtocol", false, "Whether to use proxy protocol for connections accepted "+ "at -opentsdbHTTPListenAddr . See https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt") - configAuthKey = flagutil.NewPassword("configAuthKey", "Authorization key for accessing /config page. It must be passed via authKey query arg") - reloadAuthKey = flagutil.NewPassword("reloadAuthKey", "Auth key for /-/reload http endpoint. It must be passed as authKey=...") + configAuthKey = flagutil.NewPassword("configAuthKey", "Authorization key for accessing /config page. It must be passed via authKey query arg. It overrides httpAuth.* settings.") + reloadAuthKey = flagutil.NewPassword("reloadAuthKey", "Auth key for /-/reload http endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings.") maxLabelsPerTimeseries = flag.Int("maxLabelsPerTimeseries", 30, "The maximum number of labels accepted per time series. Superfluous labels are dropped. In this case the vm_metrics_with_dropped_labels_total metric at /metrics page is incremented") maxLabelValueLen = flag.Int("maxLabelValueLen", 1024, "The maximum length of label values in the accepted time series. Longer label values are truncated. In this case the vm_too_long_label_values_total metric at /metrics page is incremented") ) diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index de8573c75..5ed1ebbfa 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -33,6 +33,7 @@ See also [LTS releases](https://docs.victoriametrics.com/lts-releases/). * FEATURE: [alerts-vmagent](https://github.com/VictoriaMetrics/VictoriaMetrics/blob/master/deployment/docker/alerts-vmagent.yml): add new alerting rules `StreamAggrFlushTimeout` and `StreamAggrDedupFlushTimeout` to notify about issues during stream aggregation. * FEATURE: [dashboards/vmagent](https://grafana.com/grafana/dashboards/12683): add row `Streaming aggregation` with panels related to [streaming aggregation](https://docs.victoriametrics.com/stream-aggregation/) process. +* BUGFIX: all VictoriaMetrics components: prioritize `-configAuthKey` and `-reloadAuthKey` over `-httpAuth.*` settings. This change aligns behavior of mentioned flags with other auth flags like `-metricsAuthKey`, `-flagsAuthKey`, `-pprofAuthKey`. Check [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/6329). ## [v1.102.0-rc1](https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.102.0-rc1) diff --git a/docs/README.md b/docs/README.md index 74470eb62..799eeea8b 100644 --- a/docs/README.md +++ b/docs/README.md @@ -2765,7 +2765,7 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li -cacheExpireDuration duration Items are removed from in-memory caches after they aren't accessed for this duration. Lower values may reduce memory usage at the cost of higher CPU usage. See also -prevCacheRemovalPercent (default 30m0s) -configAuthKey value - Authorization key for accessing /config page. It must be passed via authKey query arg + Authorization key for accessing /config page. It must be passed via authKey query arg. It overrides httpAuth.* settings. Flag value can be read from the given file when using -configAuthKey=file:///abs/path/to/file or -configAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -configAuthKey=http://host/path or -configAuthKey=https://host/path -csvTrimTimestamp duration Trim timestamps when importing csv data to this duration. Minimum practical duration is 1ms. Higher duration (i.e. 1s) may be used for reducing disk space usage for timestamp data (default 1ms) @@ -3079,7 +3079,7 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li -relabelConfig string Optional path to a file with relabeling rules, which are applied to all the ingested metrics. The path can point either to local file or to http url. See https://docs.victoriametrics.com/#relabeling for details. The config is reloaded on SIGHUP signal -reloadAuthKey value - Auth key for /-/reload http endpoint. It must be passed as authKey=... + Auth key for /-/reload http endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings. Flag value can be read from the given file when using -reloadAuthKey=file:///abs/path/to/file or -reloadAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -reloadAuthKey=http://host/path or -reloadAuthKey=https://host/path -retentionFilter array Retention filter in the format 'filter:retention'. For example, '{env="dev"}:3d' configures the retention for time series with env="dev" label to 3 days. See https://docs.victoriametrics.com/#retention-filters for details. This flag is available only in VictoriaMetrics enterprise. See https://docs.victoriametrics.com/enterprise/ diff --git a/docs/Single-server-VictoriaMetrics.md b/docs/Single-server-VictoriaMetrics.md index c0c3bdec2..ed4c30afe 100644 --- a/docs/Single-server-VictoriaMetrics.md +++ b/docs/Single-server-VictoriaMetrics.md @@ -2773,7 +2773,7 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li -cacheExpireDuration duration Items are removed from in-memory caches after they aren't accessed for this duration. Lower values may reduce memory usage at the cost of higher CPU usage. See also -prevCacheRemovalPercent (default 30m0s) -configAuthKey value - Authorization key for accessing /config page. It must be passed via authKey query arg + Authorization key for accessing /config page. It must be passed via authKey query arg. It overrides httpAuth.* settings. Flag value can be read from the given file when using -configAuthKey=file:///abs/path/to/file or -configAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -configAuthKey=http://host/path or -configAuthKey=https://host/path -csvTrimTimestamp duration Trim timestamps when importing csv data to this duration. Minimum practical duration is 1ms. Higher duration (i.e. 1s) may be used for reducing disk space usage for timestamp data (default 1ms) @@ -3087,7 +3087,7 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li -relabelConfig string Optional path to a file with relabeling rules, which are applied to all the ingested metrics. The path can point either to local file or to http url. See https://docs.victoriametrics.com/#relabeling for details. The config is reloaded on SIGHUP signal -reloadAuthKey value - Auth key for /-/reload http endpoint. It must be passed as authKey=... + Auth key for /-/reload http endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings. Flag value can be read from the given file when using -reloadAuthKey=file:///abs/path/to/file or -reloadAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -reloadAuthKey=http://host/path or -reloadAuthKey=https://host/path -retentionFilter array Retention filter in the format 'filter:retention'. For example, '{env="dev"}:3d' configures the retention for time series with env="dev" label to 3 days. See https://docs.victoriametrics.com/#retention-filters for details. This flag is available only in VictoriaMetrics enterprise. See https://docs.victoriametrics.com/enterprise/ diff --git a/docs/vmagent.md b/docs/vmagent.md index 6fe169f61..872514117 100644 --- a/docs/vmagent.md +++ b/docs/vmagent.md @@ -1637,7 +1637,7 @@ See the docs at https://docs.victoriametrics.com/vmagent/ . -cacheExpireDuration duration Items are removed from in-memory caches after they aren't accessed for this duration. Lower values may reduce memory usage at the cost of higher CPU usage. See also -prevCacheRemovalPercent (default 30m0s) -configAuthKey value - Authorization key for accessing /config page. It must be passed via authKey query arg + Authorization key for accessing /config page. It must be passed via authKey query arg. It overrides httpAuth.* settings. Flag value can be read from the given file when using -configAuthKey=file:///abs/path/to/file or -configAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -configAuthKey=http://host/path or -configAuthKey=https://host/path -csvTrimTimestamp duration Trim timestamps when importing csv data to this duration. Minimum practical duration is 1ms. Higher duration (i.e. 1s) may be used for reducing disk space usage for timestamp data (default 1ms) @@ -2006,7 +2006,7 @@ See the docs at https://docs.victoriametrics.com/vmagent/ . Supports an array of values separated by comma or specified via multiple flags. Value can contain comma inside single-quoted or double-quoted string, {}, [] and () braces. -reloadAuthKey value - Auth key for /-/reload http endpoint. It must be passed as authKey=... + Auth key for /-/reload http endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings. Flag value can be read from the given file when using -reloadAuthKey=file:///abs/path/to/file or -reloadAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -reloadAuthKey=http://host/path or -reloadAuthKey=https://host/path -remoteWrite.aws.accessKey array Optional AWS AccessKey to use for the corresponding -remoteWrite.url if -remoteWrite.aws.useSigv4 is set diff --git a/docs/vmalert.md b/docs/vmalert.md index b3719d78d..19fbe9e5d 100644 --- a/docs/vmalert.md +++ b/docs/vmalert.md @@ -1263,7 +1263,7 @@ The shortlist of configuration flags is the following: Supports an array of values separated by comma or specified via multiple flags. Value can contain comma inside single-quoted or double-quoted string, {}, [] and () braces. -reloadAuthKey value - Auth key for /-/reload http endpoint. It must be passed as authKey=... + Auth key for /-/reload http endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings. Flag value can be read from the given file when using -reloadAuthKey=file:///abs/path/to/file or -reloadAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -reloadAuthKey=http://host/path or -reloadAuthKey=https://host/path -remoteRead.basicAuth.password string Optional basic auth password for -remoteRead.url diff --git a/docs/vmauth.md b/docs/vmauth.md index 18477558f..798fc0ff5 100644 --- a/docs/vmauth.md +++ b/docs/vmauth.md @@ -1287,7 +1287,7 @@ See the docs at https://docs.victoriametrics.com/vmauth/ . Supports an array of values separated by comma or specified via multiple flags. Value can contain comma inside single-quoted or double-quoted string, {}, [] and () braces. -reloadAuthKey value - Auth key for /-/reload http endpoint. It must be passed as authKey=... + Auth key for /-/reload http endpoint. It must be passed via authKey query arg. It overrides httpAuth.* settings. Flag value can be read from the given file when using -reloadAuthKey=file:///abs/path/to/file or -reloadAuthKey=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -reloadAuthKey=http://host/path or -reloadAuthKey=https://host/path -responseTimeout duration The timeout for receiving a response from backend (default 5m0s) diff --git a/lib/httpserver/httpserver.go b/lib/httpserver/httpserver.go index d3c75d85f..4c9c768e2 100644 --- a/lib/httpserver/httpserver.go +++ b/lib/httpserver/httpserver.go @@ -396,6 +396,18 @@ func handlerWrapper(s *server, w http.ResponseWriter, r *http.Request, rh Reques // See https://github.com/VictoriaMetrics/VictoriaMetrics/issues/4128 fmt.Fprintf(w, "User-agent: *\nDisallow: /\n") return + case "/config", "/-/reload": + // only some components (vmagent, vmalert, etc.) support these handlers + // these components are responsible for CheckAuthFlag call + // see https://github.com/VictoriaMetrics/VictoriaMetrics/issues/6329 + w = &responseWriterWithAbort{ + ResponseWriter: w, + } + if !rh(w, r) { + Errorf(w, r, "unsupported path requested: %q", r.URL.Path) + unsupportedRequestErrors.Inc() + } + return default: if strings.HasPrefix(r.URL.Path, "/debug/pprof/") { pprofRequests.Inc()