diff --git a/README.md b/README.md index f7c7118ba..e13953e7f 100644 --- a/README.md +++ b/README.md @@ -1213,6 +1213,7 @@ Consider setting the following command-line flags: * `-snapshotAuthKey` for protecting `/snapshot*` endpoints. See [how to work with snapshots](#how-to-work-with-snapshots). * `-forceMergeAuthKey` for protecting `/internal/force_merge` endpoint. See [force merge docs](#forced-merge). * `-search.resetCacheAuthKey` for protecting `/internal/resetRollupResultCache` endpoint. See [backfilling](#backfilling) for more details. +* `-configAuthKey` for pretecting `/config` endpoint, since it may contain sensitive information such as passwords. Explicitly set internal network interface for TCP and UDP ports for data ingestion with Graphite and OpenTSDB formats. For example, substitute `-graphiteListenAddr=:2003` with `-graphiteListenAddr=:2003`. @@ -1549,6 +1550,8 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li ``` -bigMergeConcurrency int The maximum number of CPU cores to use for big merges. Default value is used if set to 0 + -configAuthKey string + Authorization key for accessing /config page. It must be passed via authKey query arg -csvTrimTimestamp duration Trim timestamps when importing csv data to this duration. Minimum practical duration is 1ms. Higher duration (i.e. 1s) may be used for reducing disk space usage for timestamp data (default 1ms) -datadog.maxInsertRequestSize size @@ -1648,7 +1651,7 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li -memory.allowedPercent float Allowed percent of system memory VictoriaMetrics caches may occupy. See also -memory.allowedBytes. Too low a value may increase cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from OS page cache which will result in higher disk IO usage (default 60) -metricsAuthKey string - Auth key for /metrics. It overrides httpAuth settings + Auth key for /metrics. It must be passed via authKey query arg. It overrides httpAuth.* settings -opentsdbHTTPListenAddr string TCP address to listen for OpentTSDB HTTP put requests. Usually :4242 must be set. Doesn't work if empty -opentsdbListenAddr string @@ -1661,7 +1664,7 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li -opentsdbhttpTrimTimestamp duration Trim timestamps for OpenTSDB HTTP data to this duration. Minimum practical duration is 1ms. Higher duration (i.e. 1s) may be used for reducing disk space usage for timestamp data (default 1ms) -pprofAuthKey string - Auth key for /debug/pprof. It overrides httpAuth settings + Auth key for /debug/pprof. It must be passed via authKey query arg. It overrides httpAuth.* settings -precisionBits int The number of precision bits to store per each value. Lower precision bits improves data compression at the cost of precision loss (default 64) -promscrape.cluster.memberNum int diff --git a/app/vmagent/README.md b/app/vmagent/README.md index 564b582b6..13b764081 100644 --- a/app/vmagent/README.md +++ b/app/vmagent/README.md @@ -707,6 +707,8 @@ vmagent collects metrics data via popular data ingestion protocols and routes th See the docs at https://docs.victoriametrics.com/vmagent.html . + -configAuthKey string + Authorization key for accessing /config page. It must be passed via authKey query arg -csvTrimTimestamp duration Trim timestamps when importing csv data to this duration. Minimum practical duration is 1ms. Higher duration (i.e. 1s) may be used for reducing disk space usage for timestamp data (default 1ms) -datadog.maxInsertRequestSize size @@ -790,7 +792,7 @@ See the docs at https://docs.victoriametrics.com/vmagent.html . -memory.allowedPercent float Allowed percent of system memory VictoriaMetrics caches may occupy. See also -memory.allowedBytes. Too low a value may increase cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from OS page cache which will result in higher disk IO usage (default 60) -metricsAuthKey string - Auth key for /metrics. It overrides httpAuth settings + Auth key for /metrics. It must be passed via authKey query arg. It overrides httpAuth.* settings -opentsdbHTTPListenAddr string TCP address to listen for OpentTSDB HTTP put requests. Usually :4242 must be set. Doesn't work if empty -opentsdbListenAddr string @@ -803,7 +805,7 @@ See the docs at https://docs.victoriametrics.com/vmagent.html . -opentsdbhttpTrimTimestamp duration Trim timestamps for OpenTSDB HTTP data to this duration. Minimum practical duration is 1ms. Higher duration (i.e. 1s) may be used for reducing disk space usage for timestamp data (default 1ms) -pprofAuthKey string - Auth key for /debug/pprof. It overrides httpAuth settings + Auth key for /debug/pprof. It must be passed via authKey query arg. It overrides httpAuth.* settings -promscrape.cluster.memberNum int The number of number in the cluster of scrapers. It must be an unique value in the range 0 ... promscrape.cluster.membersCount-1 across scrapers in the cluster -promscrape.cluster.membersCount int diff --git a/app/vmagent/main.go b/app/vmagent/main.go index befe066eb..8e46d4624 100644 --- a/app/vmagent/main.go +++ b/app/vmagent/main.go @@ -50,6 +50,7 @@ var ( "Telnet put messages and HTTP /api/put messages are simultaneously served on TCP port. "+ "Usually :4242 must be set. Doesn't work if empty") opentsdbHTTPListenAddr = flag.String("opentsdbHTTPListenAddr", "", "TCP address to listen for OpentTSDB HTTP put requests. Usually :4242 must be set. Doesn't work if empty") + configAuthKey = flag.String("configAuthKey", "", "Authorization key for accessing /config page. It must be passed via authKey query arg") dryRun = flag.Bool("dryRun", false, "Whether to check only config files without running vmagent. The following files are checked: "+ "-promscrape.config, -remoteWrite.relabelConfig, -remoteWrite.urlRelabelConfig . "+ "Unknown config entries are allowed in -promscrape.config by default. This can be changed with -promscrape.config.strictParse") @@ -262,6 +263,14 @@ func requestHandler(w http.ResponseWriter, r *http.Request) bool { promscrape.WriteHumanReadableTargetsStatus(w, r) return true case "/config": + if *configAuthKey != "" && r.FormValue("authKey") != *configAuthKey { + err := &httpserver.ErrorWithStatusCode{ + Err: fmt.Errorf("The provided authKey doesn't match -configAuthKey"), + StatusCode: http.StatusUnauthorized, + } + httpserver.Errorf(w, r, "%s", err) + return true + } promscrapeConfigRequests.Inc() w.Header().Set("Content-Type", "text/plain; charset=utf-8") promscrape.WriteConfigData(w) diff --git a/app/vminsert/main.go b/app/vminsert/main.go index d85187908..735395a8e 100644 --- a/app/vminsert/main.go +++ b/app/vminsert/main.go @@ -42,6 +42,7 @@ var ( "Telnet put messages and HTTP /api/put messages are simultaneously served on TCP port. "+ "Usually :4242 must be set. Doesn't work if empty") opentsdbHTTPListenAddr = flag.String("opentsdbHTTPListenAddr", "", "TCP address to listen for OpentTSDB HTTP put requests. Usually :4242 must be set. Doesn't work if empty") + configAuthKey = flag.String("configAuthKey", "", "Authorization key for accessing /config page. It must be passed via authKey query arg") maxLabelsPerTimeseries = flag.Int("maxLabelsPerTimeseries", 30, "The maximum number of labels accepted per time series. Superfluous labels are dropped") ) @@ -197,6 +198,14 @@ func RequestHandler(w http.ResponseWriter, r *http.Request) bool { promscrape.WriteAPIV1Targets(w, state) return true case "/prometheus/config", "/config": + if *configAuthKey != "" && r.FormValue("authKey") != *configAuthKey { + err := &httpserver.ErrorWithStatusCode{ + Err: fmt.Errorf("The provided authKey doesn't match -configAuthKey"), + StatusCode: http.StatusUnauthorized, + } + httpserver.Errorf(w, r, "%s", err) + return true + } promscrapeConfigRequests.Inc() w.Header().Set("Content-Type", "text/plain; charset=utf-8") promscrape.WriteConfigData(w) diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 5022c901e..55a9aff53 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -9,6 +9,7 @@ sort: 15 * FEATURE: vmalert: allow groups with empty rules list like Prometheus does. See [this pull request](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/1742). * FEATURE: vmagent: add `collapse` and `expand` buttons per each group of targets with the same `job_name` at `http://vmagent:8429/targets` page. * FEATURE: automatically detect timestamp precision (ns, us, ms or s) for the data ingested into VictoriaMetrics via [InfluxDB line protocol](https://docs.victoriametrics.com/#how-to-send-data-from-influxdb-compatible-agents-such-as-telegraf). +* FEATURE: vmagent: add ability to protect `/config` page with auth key via `-configAuthKey` command-line flag. This page may contain sensitive information such as passwords, so it may be good to restrict access to this page. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/1764). * BUGFIX: vmagent: properly display `proxy_url` config option at `http://vmagent:8429/config` page. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/1755). * BUGFIX: fix tests for Apple M1. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/1653). diff --git a/docs/README.md b/docs/README.md index f7c7118ba..e13953e7f 100644 --- a/docs/README.md +++ b/docs/README.md @@ -1213,6 +1213,7 @@ Consider setting the following command-line flags: * `-snapshotAuthKey` for protecting `/snapshot*` endpoints. See [how to work with snapshots](#how-to-work-with-snapshots). * `-forceMergeAuthKey` for protecting `/internal/force_merge` endpoint. See [force merge docs](#forced-merge). * `-search.resetCacheAuthKey` for protecting `/internal/resetRollupResultCache` endpoint. See [backfilling](#backfilling) for more details. +* `-configAuthKey` for pretecting `/config` endpoint, since it may contain sensitive information such as passwords. Explicitly set internal network interface for TCP and UDP ports for data ingestion with Graphite and OpenTSDB formats. For example, substitute `-graphiteListenAddr=:2003` with `-graphiteListenAddr=:2003`. @@ -1549,6 +1550,8 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li ``` -bigMergeConcurrency int The maximum number of CPU cores to use for big merges. Default value is used if set to 0 + -configAuthKey string + Authorization key for accessing /config page. It must be passed via authKey query arg -csvTrimTimestamp duration Trim timestamps when importing csv data to this duration. Minimum practical duration is 1ms. Higher duration (i.e. 1s) may be used for reducing disk space usage for timestamp data (default 1ms) -datadog.maxInsertRequestSize size @@ -1648,7 +1651,7 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li -memory.allowedPercent float Allowed percent of system memory VictoriaMetrics caches may occupy. See also -memory.allowedBytes. Too low a value may increase cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from OS page cache which will result in higher disk IO usage (default 60) -metricsAuthKey string - Auth key for /metrics. It overrides httpAuth settings + Auth key for /metrics. It must be passed via authKey query arg. It overrides httpAuth.* settings -opentsdbHTTPListenAddr string TCP address to listen for OpentTSDB HTTP put requests. Usually :4242 must be set. Doesn't work if empty -opentsdbListenAddr string @@ -1661,7 +1664,7 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li -opentsdbhttpTrimTimestamp duration Trim timestamps for OpenTSDB HTTP data to this duration. Minimum practical duration is 1ms. Higher duration (i.e. 1s) may be used for reducing disk space usage for timestamp data (default 1ms) -pprofAuthKey string - Auth key for /debug/pprof. It overrides httpAuth settings + Auth key for /debug/pprof. It must be passed via authKey query arg. It overrides httpAuth.* settings -precisionBits int The number of precision bits to store per each value. Lower precision bits improves data compression at the cost of precision loss (default 64) -promscrape.cluster.memberNum int diff --git a/docs/Single-server-VictoriaMetrics.md b/docs/Single-server-VictoriaMetrics.md index 1d6ecea2e..2f00eb2a0 100644 --- a/docs/Single-server-VictoriaMetrics.md +++ b/docs/Single-server-VictoriaMetrics.md @@ -1217,6 +1217,7 @@ Consider setting the following command-line flags: * `-snapshotAuthKey` for protecting `/snapshot*` endpoints. See [how to work with snapshots](#how-to-work-with-snapshots). * `-forceMergeAuthKey` for protecting `/internal/force_merge` endpoint. See [force merge docs](#forced-merge). * `-search.resetCacheAuthKey` for protecting `/internal/resetRollupResultCache` endpoint. See [backfilling](#backfilling) for more details. +* `-configAuthKey` for pretecting `/config` endpoint, since it may contain sensitive information such as passwords. Explicitly set internal network interface for TCP and UDP ports for data ingestion with Graphite and OpenTSDB formats. For example, substitute `-graphiteListenAddr=:2003` with `-graphiteListenAddr=:2003`. @@ -1553,6 +1554,8 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li ``` -bigMergeConcurrency int The maximum number of CPU cores to use for big merges. Default value is used if set to 0 + -configAuthKey string + Authorization key for accessing /config page. It must be passed via authKey query arg -csvTrimTimestamp duration Trim timestamps when importing csv data to this duration. Minimum practical duration is 1ms. Higher duration (i.e. 1s) may be used for reducing disk space usage for timestamp data (default 1ms) -datadog.maxInsertRequestSize size @@ -1652,7 +1655,7 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li -memory.allowedPercent float Allowed percent of system memory VictoriaMetrics caches may occupy. See also -memory.allowedBytes. Too low a value may increase cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from OS page cache which will result in higher disk IO usage (default 60) -metricsAuthKey string - Auth key for /metrics. It overrides httpAuth settings + Auth key for /metrics. It must be passed via authKey query arg. It overrides httpAuth.* settings -opentsdbHTTPListenAddr string TCP address to listen for OpentTSDB HTTP put requests. Usually :4242 must be set. Doesn't work if empty -opentsdbListenAddr string @@ -1665,7 +1668,7 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li -opentsdbhttpTrimTimestamp duration Trim timestamps for OpenTSDB HTTP data to this duration. Minimum practical duration is 1ms. Higher duration (i.e. 1s) may be used for reducing disk space usage for timestamp data (default 1ms) -pprofAuthKey string - Auth key for /debug/pprof. It overrides httpAuth settings + Auth key for /debug/pprof. It must be passed via authKey query arg. It overrides httpAuth.* settings -precisionBits int The number of precision bits to store per each value. Lower precision bits improves data compression at the cost of precision loss (default 64) -promscrape.cluster.memberNum int diff --git a/docs/vmagent.md b/docs/vmagent.md index 89ba4f865..e2176f68d 100644 --- a/docs/vmagent.md +++ b/docs/vmagent.md @@ -711,6 +711,8 @@ vmagent collects metrics data via popular data ingestion protocols and routes th See the docs at https://docs.victoriametrics.com/vmagent.html . + -configAuthKey string + Authorization key for accessing /config page. It must be passed via authKey query arg -csvTrimTimestamp duration Trim timestamps when importing csv data to this duration. Minimum practical duration is 1ms. Higher duration (i.e. 1s) may be used for reducing disk space usage for timestamp data (default 1ms) -datadog.maxInsertRequestSize size @@ -794,7 +796,7 @@ See the docs at https://docs.victoriametrics.com/vmagent.html . -memory.allowedPercent float Allowed percent of system memory VictoriaMetrics caches may occupy. See also -memory.allowedBytes. Too low a value may increase cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from OS page cache which will result in higher disk IO usage (default 60) -metricsAuthKey string - Auth key for /metrics. It overrides httpAuth settings + Auth key for /metrics. It must be passed via authKey query arg. It overrides httpAuth.* settings -opentsdbHTTPListenAddr string TCP address to listen for OpentTSDB HTTP put requests. Usually :4242 must be set. Doesn't work if empty -opentsdbListenAddr string @@ -807,7 +809,7 @@ See the docs at https://docs.victoriametrics.com/vmagent.html . -opentsdbhttpTrimTimestamp duration Trim timestamps for OpenTSDB HTTP data to this duration. Minimum practical duration is 1ms. Higher duration (i.e. 1s) may be used for reducing disk space usage for timestamp data (default 1ms) -pprofAuthKey string - Auth key for /debug/pprof. It overrides httpAuth settings + Auth key for /debug/pprof. It must be passed via authKey query arg. It overrides httpAuth.* settings -promscrape.cluster.memberNum int The number of number in the cluster of scrapers. It must be an unique value in the range 0 ... promscrape.cluster.membersCount-1 across scrapers in the cluster -promscrape.cluster.membersCount int diff --git a/lib/httpserver/httpserver.go b/lib/httpserver/httpserver.go index ba49b122c..0440a0dc5 100644 --- a/lib/httpserver/httpserver.go +++ b/lib/httpserver/httpserver.go @@ -40,8 +40,8 @@ var ( "See https://www.robustperception.io/using-external-urls-and-proxies-with-prometheus") httpAuthUsername = flag.String("httpAuth.username", "", "Username for HTTP Basic Auth. The authentication is disabled if empty. See also -httpAuth.password") httpAuthPassword = flag.String("httpAuth.password", "", "Password for HTTP Basic Auth. The authentication is disabled if -httpAuth.username is empty") - metricsAuthKey = flag.String("metricsAuthKey", "", "Auth key for /metrics. It overrides httpAuth settings") - pprofAuthKey = flag.String("pprofAuthKey", "", "Auth key for /debug/pprof. It overrides httpAuth settings") + metricsAuthKey = flag.String("metricsAuthKey", "", "Auth key for /metrics. It must be passed via authKey query arg. It overrides httpAuth.* settings") + pprofAuthKey = flag.String("pprofAuthKey", "", "Auth key for /debug/pprof. It must be passed via authKey query arg. It overrides httpAuth.* settings") disableResponseCompression = flag.Bool("http.disableResponseCompression", false, "Disable compression of HTTP responses to save CPU resources. By default compression is enabled to save network bandwidth") maxGracefulShutdownDuration = flag.Duration("http.maxGracefulShutdownDuration", 7*time.Second, `The maximum duration for a graceful shutdown of the HTTP server. A highly loaded server may require increased value for a graceful shutdown`)