Return error when a standby node receives a metrics request (#8280)

* Return error when a standby node receives a metrics request * fix test * Add documentation note
2020-02-07 09:30:25 +01:00 · 2020-02-07 09:30:25 +01:00 · 3a4d330f64
parent f46769b441
commit 3a4d330f64
4 changed files with 25 additions and 3 deletions
--- a/http/handler.go
+++ b/http/handler.go
@ -19,8 +19,8 @@ import (
 	"github.com/NYTimes/gziphandler"
 	assetfs "github.com/elazarl/go-bindata-assetfs"
 	"github.com/hashicorp/errwrap"
-	"github.com/hashicorp/go-cleanhttp"
-	"github.com/hashicorp/go-sockaddr"
+	cleanhttp "github.com/hashicorp/go-cleanhttp"
+	sockaddr "github.com/hashicorp/go-sockaddr"
 	"github.com/hashicorp/vault/helper/namespace"
 	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/helper/jsonutil"
@ -162,6 +162,8 @@ func Handler(props *vault.HandlerProperties) http.Handler {
 		// Register metrics path without authentication if enabled
 		if props.UnauthenticatedMetricsAccess {
 			mux.Handle("/v1/sys/metrics", handleMetricsUnauthenticated(core))
+		} else {
+			mux.Handle("/v1/sys/metrics", handleLogicalNoForward(core))
 		}

 		additionalRoutes(mux, core)
--- a/http/logical.go
+++ b/http/logical.go
@ -12,7 +12,7 @@ import (
 	"time"

 	"github.com/hashicorp/errwrap"
-	"github.com/hashicorp/go-uuid"
+	uuid "github.com/hashicorp/go-uuid"
 	"github.com/hashicorp/vault/helper/namespace"
 	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/logical"
@ -332,6 +332,14 @@ func handleLogicalInternal(core *vault.Core, injectDataIntoTopLevel bool, noForw
 					}
 				}
 			}
+
+		// Prevent any metrics requests to be forwarded from a standby node.
+		// Instead, we return an error since we cannot be sure if we have an
+		// active token store to validate the provided token.
+		case strings.HasPrefix(req.Path, "sys/metrics"):
+			if isStandby, _ := core.Standby(); isStandby {
+				respondError(w, http.StatusBadRequest, vault.ErrCannotForwardLocalOnly)
+			}
 		}

 		// Make the internal request. We attach the connection info
--- a/http/sys_metrics.go
+++ b/http/sys_metrics.go
@ -13,6 +13,12 @@ func handleMetricsUnauthenticated(core *vault.Core) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		req := &logical.Request{Headers: r.Header}

+		switch r.Method {
+		case "GET":
+		default:
+			respondError(w, http.StatusMethodNotAllowed, nil)
+		}
+
 		// Parse form
 		if err := r.ParseForm(); err != nil {
 			respondError(w, http.StatusBadRequest, err)
--- a/website/pages/docs/configuration/telemetry.mdx
+++ b/website/pages/docs/configuration/telemetry.mdx
@ -141,6 +141,10 @@ These `telemetry` parameters apply to

 ### `prometheus`

+~> **Note:** The `/v1/sys/metrics` endpoint is only accessible on active nodes
+and automatically disabled on standby nodes. You can enable the `/v1/sys/metrics`
+endpoint on standby nodes by [enabling unauthenticated metrics access][telemetry-tcp].
+
 These `telemetry` parameters apply to
 [prometheus](https://prometheus.io).

@ -206,3 +210,5 @@ telemetry {
  enable_hostname_label = true
 }
 ```
+
+[telemetry-tcp]: /docs/configuration/listener/tcp#telemetry