[GitHub] [geronimo-metrics] diuis opened a new pull request #3: Accepted hosts starts with match

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[GitHub] [geronimo-metrics] diuis opened a new pull request #3: Accepted hosts starts with match

GitBox
diuis opened a new pull request #3: Accepted hosts starts with match
URL: https://github.com/apache/geronimo-metrics/pull/3
 
 
   Hi,
   I need to run my meecrowave microservice in a GCE k8s cluster, and I want to expose the metrics endpoint to prometheus-operator.
   The GET requests come from a IP's range, and with the standard acceptedHosts configuration I can't use a fixed list of IP.
   Can you do a review of my pull request?

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[hidden email]


With regards,
Apache Git Services
Reply | Threaded
Open this post in threaded view
|

[GitHub] [geronimo-metrics] rmannibucau commented on issue #3: Accepted hosts starts with match

GitBox
rmannibucau commented on issue #3: Accepted hosts starts with match
URL: https://github.com/apache/geronimo-metrics/pull/3#issuecomment-591846660
 
 
   Hi,
   
   I had the same issue in k8s and didn't want to  add that cause a startsWith does not guarantee an "invader" machine can't do the call.
   
   I can see multiple options:
   
   1. (currently used) you disable the default security validator (setSecurityValidator on the endpoint)
   2. we support an explicit range (10.0.0.[1-10]), letting the deployer the responsability to open a breach or not
   3. more advanced/complex ones (like using jsr223 etc)
   
   wdyt?

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[hidden email]


With regards,
Apache Git Services
Reply | Threaded
Open this post in threaded view
|

[GitHub] [geronimo-metrics] diuis commented on issue #3: Accepted hosts starts with match

GitBox
In reply to this post by GitBox
diuis commented on issue #3: Accepted hosts starts with match
URL: https://github.com/apache/geronimo-metrics/pull/3#issuecomment-591921769
 
 
   Hi @rmannibucau,
   I don't know how to disable the security validator, but I like that the /metrics api is protected end not exposed to everyone.
   What do you think if the acceptedhosts parameter value is something like an ip range?
   For example, we could accept a string as [10.10.10.0..10.10.10.255] and write a range validator like this one:
   
   `  @ParameterizedTest
     @CsvSource({ "[10.10.10.0..10.10.10.255],10.10.10.9,true", "[10.10.10.0..10.10.10.255],10.10.11.0,false" })
     void testIpRange(String ipRange, String ip, boolean expected) throws UnknownHostException {
       Optional<String[]> optionalRange = Optional.ofNullable(ipRange)
                                                  .filter(range -> range.startsWith("["))
                                                  .filter(range -> range.endsWith("]"))
                                                  .map(range -> range.subSequence(1, range.length() - 1)
                                                                     .toString())
                                                  .map(range -> range.split("\\.\\."))
                                                  .filter(values -> values.length == 2);
   
       var addressMin = new BigInteger(InetAddress.getByName(optionalRange.get()[0])
                                                  .getAddress()).longValue();
       var addressMax = new BigInteger(InetAddress.getByName(optionalRange.get()[1])
                                                  .getAddress()).longValue();
   
       var addressBetween = new BigInteger(InetAddress.getByName(ip)
                                                      .getAddress()).longValue();
   
       var actual = Math.max(addressMin, addressBetween) == Math.min(addressBetween, addressMax);
   
       assertThat(actual).isEqualTo(expected);
     }`
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[hidden email]


With regards,
Apache Git Services
Reply | Threaded
Open this post in threaded view
|

[GitHub] [geronimo-metrics] diuis edited a comment on issue #3: Accepted hosts starts with match

GitBox
In reply to this post by GitBox
diuis edited a comment on issue #3: Accepted hosts starts with match
URL: https://github.com/apache/geronimo-metrics/pull/3#issuecomment-591921769
 
 
   Hi @rmannibucau,
   I don't know how to disable the security validator, but I like that the /metrics api is protected end not exposed to everyone.
   What do you think if the acceptedhosts parameter value is something like an ip range?
   For example, we could accept a string as [10.10.10.0..10.10.10.255] and write a range validator like this one:
   
   [code](https://gist.github.com/diuis/373c6630a115ed0a514679efecf4b41a)
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[hidden email]


With regards,
Apache Git Services
Reply | Threaded
Open this post in threaded view
|

[GitHub] [geronimo-metrics] diuis commented on issue #3: Accepted hosts starts with match

GitBox
In reply to this post by GitBox
diuis commented on issue #3: Accepted hosts starts with match
URL: https://github.com/apache/geronimo-metrics/pull/3#issuecomment-591999701
 
 
   I opened a new pull request: [https://github.com/apache/geronimo-metrics/pull/4](https://github.com/apache/geronimo-metrics/pull/4)

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[hidden email]


With regards,
Apache Git Services
Reply | Threaded
Open this post in threaded view
|

[GitHub] [geronimo-metrics] diuis closed pull request #3: Accepted hosts starts with match

GitBox
In reply to this post by GitBox
diuis closed pull request #3: Accepted hosts starts with match
URL: https://github.com/apache/geronimo-metrics/pull/3
 
 
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[hidden email]


With regards,
Apache Git Services