web: disable Amin APIs by default
This commit is contained in:
Fabian Reinartz
parent
ccf9e62972
commit
45ac064669
|
|
@ -127,6 +127,9 @@ func main() {
|
|||
a.Flag("web.enable-remote-shutdown", "Enable shutdown via HTTP request.").
|
||||
Default("false").BoolVar(&cfg.web.EnableQuit)
|
||||
|
||||
a.Flag("web.enable-admin-api", "Enables API endpoints for admin control actions").
|
||||
Default("false").BoolVar(&cfg.web.EnableAdminAPI)
|
||||
|
||||
a.Flag("web.console.templates", "Path to the console template directory, available at /consoles.").
|
||||
Default("consoles").StringVar(&cfg.web.ConsoleTemplatesPath)
|
||||
|
||||
|
|
|
|||
|
|
@ -44,6 +44,7 @@ import (
|
|||
|
||||
// API encapsulates all API services.
|
||||
type API struct {
|
||||
enableAdmin bool
|
||||
now func() time.Time
|
||||
db *tsdb.DB
|
||||
q func(mint, maxt int64) storage.Querier
|
||||
|
|
@ -59,6 +60,7 @@ func New(
|
|||
q func(mint, maxt int64) storage.Querier,
|
||||
targets func() []*retrieval.Target,
|
||||
alertmanagers func() []*url.URL,
|
||||
enableAdmin bool,
|
||||
) *API {
|
||||
return &API{
|
||||
now: now,
|
||||
|
|
@ -66,12 +68,17 @@ func New(
|
|||
q: q,
|
||||
targets: targets,
|
||||
alertmanagers: alertmanagers,
|
||||
enableAdmin: enableAdmin,
|
||||
}
|
||||
}
|
||||
|
||||
// RegisterGRPC registers all API services with the given server.
|
||||
func (api *API) RegisterGRPC(srv *grpc.Server) {
|
||||
pb.RegisterAdminServer(srv, NewAdmin(api.db))
|
||||
if api.enableAdmin {
|
||||
pb.RegisterAdminServer(srv, NewAdmin(api.db))
|
||||
} else {
|
||||
pb.RegisterAdminServer(srv, &adminDisabled{})
|
||||
}
|
||||
}
|
||||
|
||||
// HTTPHandler returns an HTTP handler for a REST API gateway to the given grpc address.
|
||||
|
|
@ -125,6 +132,21 @@ func labelsToProto(lset labels.Labels) pb.Labels {
|
|||
return r
|
||||
}
|
||||
|
||||
// adminDisabled implements the administration interface that informs
|
||||
// that the API endpoints are disbaled.
|
||||
type adminDisabled struct {
|
||||
}
|
||||
|
||||
// TSDBSnapshot implements pb.AdminServer.
|
||||
func (s *adminDisabled) TSDBSnapshot(_ context.Context, _ *pb.TSDBSnapshotRequest) (*pb.TSDBSnapshotResponse, error) {
|
||||
return nil, status.Error(codes.Unavailable, "Admin APIs are disabled")
|
||||
}
|
||||
|
||||
// DeleteSeries imeplements pb.AdminServer.
|
||||
func (s *adminDisabled) DeleteSeries(_ context.Context, r *pb.SeriesDeleteRequest) (*pb.SeriesDeleteResponse, error) {
|
||||
return nil, status.Error(codes.Unavailable, "Admin APIs are disabled")
|
||||
}
|
||||
|
||||
// Admin provides an administration interface to Prometheus.
|
||||
type Admin struct {
|
||||
db *tsdb.DB
|
||||
|
|
|
|||
|
|
@ -133,6 +133,7 @@ type Options struct {
|
|||
ConsoleTemplatesPath string
|
||||
ConsoleLibrariesPath string
|
||||
EnableQuit bool
|
||||
EnableAdminAPI bool
|
||||
}
|
||||
|
||||
// New initializes a new web Handler.
|
||||
|
|
@ -301,6 +302,7 @@ func (h *Handler) Run(ctx context.Context) error {
|
|||
func() []*url.URL {
|
||||
return h.options.Notifier.Alertmanagers()
|
||||
},
|
||||
h.options.EnableAdminAPI,
|
||||
)
|
||||
av2.RegisterGRPC(grpcSrv)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue