From 45ac06466927ec2ed0daed4c1f1c285a8729a257 Mon Sep 17 00:00:00 2001 From: Fabian Reinartz Date: Mon, 10 Jul 2017 09:29:41 +0200 Subject: [PATCH] web: disable Amin APIs by default --- cmd/prometheus/main.go | 3 +++ web/api/v2/api.go | 24 +++++++++++++++++++++++- web/web.go | 2 ++ 3 files changed, 28 insertions(+), 1 deletion(-) diff --git a/cmd/prometheus/main.go b/cmd/prometheus/main.go index cae862d828..92310bb01f 100644 --- a/cmd/prometheus/main.go +++ b/cmd/prometheus/main.go @@ -127,6 +127,9 @@ func main() { a.Flag("web.enable-remote-shutdown", "Enable shutdown via HTTP request."). Default("false").BoolVar(&cfg.web.EnableQuit) + a.Flag("web.enable-admin-api", "Enables API endpoints for admin control actions"). + Default("false").BoolVar(&cfg.web.EnableAdminAPI) + a.Flag("web.console.templates", "Path to the console template directory, available at /consoles."). Default("consoles").StringVar(&cfg.web.ConsoleTemplatesPath) diff --git a/web/api/v2/api.go b/web/api/v2/api.go index af3f0e9cd0..25cfb7afc1 100644 --- a/web/api/v2/api.go +++ b/web/api/v2/api.go @@ -44,6 +44,7 @@ import ( // API encapsulates all API services. type API struct { + enableAdmin bool now func() time.Time db *tsdb.DB q func(mint, maxt int64) storage.Querier @@ -59,6 +60,7 @@ func New( q func(mint, maxt int64) storage.Querier, targets func() []*retrieval.Target, alertmanagers func() []*url.URL, + enableAdmin bool, ) *API { return &API{ now: now, @@ -66,12 +68,17 @@ func New( q: q, targets: targets, alertmanagers: alertmanagers, + enableAdmin: enableAdmin, } } // RegisterGRPC registers all API services with the given server. func (api *API) RegisterGRPC(srv *grpc.Server) { - pb.RegisterAdminServer(srv, NewAdmin(api.db)) + if api.enableAdmin { + pb.RegisterAdminServer(srv, NewAdmin(api.db)) + } else { + pb.RegisterAdminServer(srv, &adminDisabled{}) + } } // HTTPHandler returns an HTTP handler for a REST API gateway to the given grpc address. @@ -125,6 +132,21 @@ func labelsToProto(lset labels.Labels) pb.Labels { return r } +// adminDisabled implements the administration interface that informs +// that the API endpoints are disbaled. +type adminDisabled struct { +} + +// TSDBSnapshot implements pb.AdminServer. +func (s *adminDisabled) TSDBSnapshot(_ context.Context, _ *pb.TSDBSnapshotRequest) (*pb.TSDBSnapshotResponse, error) { + return nil, status.Error(codes.Unavailable, "Admin APIs are disabled") +} + +// DeleteSeries imeplements pb.AdminServer. +func (s *adminDisabled) DeleteSeries(_ context.Context, r *pb.SeriesDeleteRequest) (*pb.SeriesDeleteResponse, error) { + return nil, status.Error(codes.Unavailable, "Admin APIs are disabled") +} + // Admin provides an administration interface to Prometheus. type Admin struct { db *tsdb.DB diff --git a/web/web.go b/web/web.go index 03b5daf869..c57800ffe7 100644 --- a/web/web.go +++ b/web/web.go @@ -133,6 +133,7 @@ type Options struct { ConsoleTemplatesPath string ConsoleLibrariesPath string EnableQuit bool + EnableAdminAPI bool } // New initializes a new web Handler. @@ -301,6 +302,7 @@ func (h *Handler) Run(ctx context.Context) error { func() []*url.URL { return h.options.Notifier.Alertmanagers() }, + h.options.EnableAdminAPI, ) av2.RegisterGRPC(grpcSrv)