From 9b15b11f744e2e1f7a1ee9704fae7f3433b8c919 Mon Sep 17 00:00:00 2001
From: Aliaksandr Valialkin <valyala@gmail.com>
Date: Thu, 17 Sep 2020 14:21:39 +0300
Subject: [PATCH] app/vmstorage: added `-forceMergeAuthKey` command-line flag
 for protecting `/internal/force_merge` endpoint

---
 README.md                       |  2 +-
 app/vmstorage/main.go           | 18 ++++++++++++------
 docs/Cluster-VictoriaMetrics.md |  2 +-
 3 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index 0434d8f1c..5a70b6730 100644
--- a/README.md
+++ b/README.md
@@ -206,7 +206,7 @@ or [an alternative dashboard for VictoriaMetrics cluster](https://grafana.com/gr
   be used on a regular basis, since it carries non-zero overhead.
 
 * `vmstorage` nodes provide the following HTTP endpoints on `8482` port:
-  - `/internal/force_merge` - initiate [forced compactions](https://victoriametrics.github.io/#force-merge) on the given `vmstorage` node.
+  - `/internal/force_merge` - initiate [forced compactions](https://victoriametrics.github.io/#forced-merge) on the given `vmstorage` node.
   - `/snapshot/create` - create [instant snapshot](https://medium.com/@valyala/how-victoriametrics-makes-instant-snapshots-for-multi-terabyte-time-series-data-e1f3fb0e0282),
     which can be used for backups in background. Snapshots are created in `<storageDataPath>/snapshots` folder, where `<storageDataPath>` is the corresponding
     command-line flag value.
diff --git a/app/vmstorage/main.go b/app/vmstorage/main.go
index e20c839d9..507457830 100644
--- a/app/vmstorage/main.go
+++ b/app/vmstorage/main.go
@@ -22,12 +22,13 @@ import (
 )
 
 var (
-	httpListenAddr  = flag.String("httpListenAddr", ":8482", "Address to listen for http connections")
-	retentionPeriod = flag.Int("retentionPeriod", 1, "Retention period in months")
-	storageDataPath = flag.String("storageDataPath", "vmstorage-data", "Path to storage data")
-	vminsertAddr    = flag.String("vminsertAddr", ":8400", "TCP address to accept connections from vminsert services")
-	vmselectAddr    = flag.String("vmselectAddr", ":8401", "TCP address to accept connections from vmselect services")
-	snapshotAuthKey = flag.String("snapshotAuthKey", "", "authKey, which must be passed in query string to /snapshot* pages")
+	httpListenAddr    = flag.String("httpListenAddr", ":8482", "Address to listen for http connections")
+	retentionPeriod   = flag.Int("retentionPeriod", 1, "Retention period in months")
+	storageDataPath   = flag.String("storageDataPath", "vmstorage-data", "Path to storage data")
+	vminsertAddr      = flag.String("vminsertAddr", ":8400", "TCP address to accept connections from vminsert services")
+	vmselectAddr      = flag.String("vmselectAddr", ":8401", "TCP address to accept connections from vmselect services")
+	snapshotAuthKey   = flag.String("snapshotAuthKey", "", "authKey, which must be passed in query string to /snapshot* pages")
+	forceMergeAuthKey = flag.String("forceMergeAuthKey", "", "authKey, which must be passed in query string to /internal/force_merge pages")
 
 	bigMergeConcurrency   = flag.Int("bigMergeConcurrency", 0, "The maximum number of CPU cores to use for big merges. Default value is used if set to 0")
 	smallMergeConcurrency = flag.Int("smallMergeConcurrency", 0, "The maximum number of CPU cores to use for small merges. Default value is used if set to 0")
@@ -114,6 +115,11 @@ func newRequestHandler(strg *storage.Storage) httpserver.RequestHandler {
 func requestHandler(w http.ResponseWriter, r *http.Request, strg *storage.Storage) bool {
 	path := r.URL.Path
 	if path == "/internal/force_merge" {
+		authKey := r.FormValue("authKey")
+		if authKey != *forceMergeAuthKey {
+			httpserver.Errorf(w, r, "invalid authKey %q. It must match the value from -forceMergeAuthKey command line flag", authKey)
+			return true
+		}
 		// Run force merge in background
 		partitionNamePrefix := r.FormValue("partition_prefix")
 		go func() {
diff --git a/docs/Cluster-VictoriaMetrics.md b/docs/Cluster-VictoriaMetrics.md
index 0434d8f1c..5a70b6730 100644
--- a/docs/Cluster-VictoriaMetrics.md
+++ b/docs/Cluster-VictoriaMetrics.md
@@ -206,7 +206,7 @@ or [an alternative dashboard for VictoriaMetrics cluster](https://grafana.com/gr
   be used on a regular basis, since it carries non-zero overhead.
 
 * `vmstorage` nodes provide the following HTTP endpoints on `8482` port:
-  - `/internal/force_merge` - initiate [forced compactions](https://victoriametrics.github.io/#force-merge) on the given `vmstorage` node.
+  - `/internal/force_merge` - initiate [forced compactions](https://victoriametrics.github.io/#forced-merge) on the given `vmstorage` node.
   - `/snapshot/create` - create [instant snapshot](https://medium.com/@valyala/how-victoriametrics-makes-instant-snapshots-for-multi-terabyte-time-series-data-e1f3fb0e0282),
     which can be used for backups in background. Snapshots are created in `<storageDataPath>/snapshots` folder, where `<storageDataPath>` is the corresponding
     command-line flag value.