remove public access to metrics and updated uri metrics output #114
Conversation
|
@CathalOConnorRH have we tested with keycloak on kubernetes? if it doesnt work there, we need to explicitly mention that this would only for openshift deployments. |
@Rajagopalan-Ranganathan We have tested but this doesn't work on kubernetes out of the box, it may if there is a proxy in front of the pod that sets the 'x-forwarded-host' header |
|
@pb82 can we have this reviewed and merged? we are waiting for this change to be rolled out , so that we can promote our changes to prod. |
| public Response get(@Context HttpServletRequest servletRequest, @Context HttpHeaders headers) { | ||
|
|
||
| if (DISABLE_OPENSHIFT_EXTERNAL_ACCESS){ | ||
| if ( !headers.getRequestHeader("x-forwarded-host").isEmpty() ) { |
There was a problem hiding this comment.
@CathalOConnorRH Can we rename the flag to DISABLE_EXTERNAL_ACCESS? The spi itself, nor the x-forwarded-host are not OpenShift specific.
The value of the header is not checked. So any requester who sets the header would be permitted. Is that ok?
There was a problem hiding this comment.
updated env var and readme
|
@Rajagopalan-Ranganathan on it, sorry for the delay |
thanks! |
a5d66bc to
6fb77c0
Compare
Motivation
Metrics are accessible outside of an openshift cluster,
I've added a parameter to disable external access once the 'x-forwarded-host' header has data into as added by ha proxy on cluster.
Updated metrics to replace client id with '{id}' when uri metrics are enabled and not detailed.