Authentication for metrics and version endpoint

[naveenpaul1]

Describe the Problem

Noobaa provides multiple metrics endpoints for customers. The first one is Noobaa management service and the other one is Noobaa endpoint service. In the case of Noobaa management metrics endpoint, Noobaa provides a route to fetch the metrics. And for Noobaa endpoint metrics, metrics can be fetched by loadbalancer IP and port. Anyone with a valid URL can access these metrics endpoints without any kind of authentication.

Explain the Changes

noobaa -core

1. JWT token will be authenticated Inside metrics_request_handler() and get_version_handler()
2. JWT token will be verified against signature and role metrics-auth, with the role validation we can make sure other JWT tokens signed using the same secret won’t work.
3. Invalid auth token will return 403 error

Issues: Fixed #xxx / Gap #xxx

1. RHSTOR-7202
2. DFBUGS-1802

Testing Instructions:

containerized deployment

1. The customer should be able to access the bearer token from the secret metrics-auth-secret, secret can be used for accessing noobaa management and endpoint metrics/version.

JWT_TOKEN=$(oc get secret/{token-secret-name} -n {namespace} -o jsonpath={.data.metrics_token} | base64 -d)    
curl -k -H "Authorization: Bearer ${JWT_TOKEN "https://{endpoint-loadbalancer-ingress-ip}:{endpoint-port}
curl -k -H "Authorization: Bearer ${JWT_TOKEN}" https://$(oc -n {namespace} get route noobaa-mgmt -o jsonpath='{.status.ingress[*].host}/version or metrics endpoints')

Design doc : https://ibm.ent.box.com/notes/1853310270159

• Doc added/updated
• Tests added

[tangledbytes]

Why text/plain and not application/json if the format is JSON? Same for prometheus reporting.

[guymguym]

First this error handling shouldn't be here. as noted below this should be in a function in http_utils.
Second - why are we authenticating the get_version call ??

[naveenpaul1]

Parent link for this epic: RHSTOR-7202 mentioned that version also needs to be authenticated.

[guymguym]

I dont know what is mentioned there and why, but I am afraid that it will fail the callers to this version route as they dont authenticate and just use plain curl. did you check who is calling it in the core and operator code bases?

[naveenpaul1]

in operator I couldnt find the direct call to version endpoint, in core I could find one reference for version here, Is this code still in use?
Customer concern is about exposing the version, and vulnerabilities associated with it.

[guymguym]

we always return the server version as a header - see endpoint_utils.set_noobaa_server_header

is this critical enough to require a change?

[guymguym]

We better add a config option that allow us to turn on/off the auth for both metrics and version routes (one config for each because different clients use it)

[naveenpaul1]

ok, and for metrics and version default value for auth enabled?
config.METRICS_AUTH_ENABLED = true;
config.VERSION_AUTH_ENABLED = true;

[guymguym]

First this error handling shouldn't be here. as noted below this should be in a function in http_utils.
Second - why are we authenticating the get_version call ??

[guymguym]

this is not enough, the caller should check for this return, and the normal path should return true. but i think maybe this is better be thrown instead.

[naveenpaul1]

all the methods ends with res.end() do not send anything back, simply end the method with res.end()
An I tested the flow with this change and its working without any issues

[guymguym]

i am not sure about the default being true. will that break anything?

[naveenpaul1]

I couldnt find issues during my testing.